Author Archives: privacynewshighlights

Privacy News Highlghts 16-31 January 2014


WW – As Facial Recognition Uses Expand, Privacy Concerns Abound

Companies are working on facial recognition-based “VIP identification” for hotels and other businesses expanding “shoplifter-identification services with parallel programs to help retailers recognize customers eligible for special treatment.” Meanwhile, law enforcement agencies in one California county are “testing facial recognition technology to help identify people in the field. A National Telecommunications and Information Administration event this week is expected to look at issues related to facial recognition technology, the report states, noting that on the topic of facial recognition, the Federal Trade Commission’s Jessica Rich has said, “This is another reason that we need omnibus privacy legislation.” Across the globe, Japan’s National Institute of Information and Communications Technology plans to test facial recognition at Osaka’s train station. [The New York Times]

WW – Facial Recognition Databases Demand “Responsible” Actions

In a column for The Atlantic, Profs. Woodrow Hartzog and Evan Selinger highlight the importance of separating facial recognition apps and large databases in order to protect privacy and relative anonymity in public. “No matter how powerful a facial recognition app is designed to be, it can’t get the job done without being connected to a database that links names to faces,” they write, adding, “the key is to ensure legal and social pressure demands the same responsible behavior from database owners as it does from designers, hosts and users of facial recognition technologies.” Meanwhile, CNET News reports on an augmented reality app planned for Google Glass. The Brain app would lay data from the virtual world—such as a Facebook profile—over what’s being observed in the real world. The company’s chief executive said, “We are trying to develop the platform … to try to anticipate and understand what you need and what you want and then present it when you need it.” [The Atlantic]


CA – Privacy Commissioner Provides Recommendations to Parliament for the Protection of Privacy Rights In National Security Efforts

On the occasion of International Data Privacy Day, a special report to Parliament by the Office of the Privacy Commissioner of Canada, with specific recommendations to address current issues surrounding privacy and national security, was tabled in Parliament. Building from consultation with a range of experts and civil society, the Office’s report makes a series of recommendations for Parliament to consider in order to strengthen privacy protection.   Specifically, it suggests ways to increase transparency, modernize privacy laws and bolster Parliament’s oversight role. [Source]

CA – Canadian Spy Agency Gleaned Passengers’ Data From Airport’s Wifi

A federal electronic spy agency tracked thousands of people who passed through a Canadian airport using information gleaned from free wireless Internet service. Citing a secret document leaked by former U.S. security contractor Edward Snowden, CBC reported that Communications Security Establishment Canada (CSEC) collected data from passengers’ smartphones and laptops over a two-week period and tracked those devices for a week or longer afterward. CSEC is tasked with collecting foreign intelligence under law and can’t target Canadians, or anyone within Canada, without a warrant. CBC quoted several experts who said CSEC’s actions were “almost certainly illegal.” The document leaked is a 27-page presentation on a “trial run” of the program, dated May 2012, reported the CBC. The technology was to be shared with the so-called “Five Eyes” spy partnership composed of Canada, the U.S., Britain, New Zealand and Australia. [Source]

CA – Alberta to Update Privacy Law

Alberta will “amend one of its main privacy laws this fall to comply with a Supreme Court of Canada judgment that found the legislation unconstitutional.” The court struck down the province’s entire Personal Information Protection Act in November in a case involving a union that photographed individuals crossing a picket line, giving Alberta a year to revise the law. “It is the government’s intention to pass the amendments early in the fall 2014 session to comply with the court’s ruling,” Service Alberta’s Gerald Kastendieck said. The amendments will “focus on unions and picketing,” the report states, noting, “There won’t be a general review of the 10-year-old legislation this year.” [The Canadian Press]

CA – NF Premier Calls for Changes to Restrictions

Newfoundland and Labrador Premier Tom Marshall is calling for the government to launch an “about-face review of access-to-information restrictions that it has staunchly defended.” Bill 29 included changes to the Access to Information and Protection of Privacy Act and was passed in 2012. Critics have described it as “regressive and even dangerous,” the report states. Marshall said, “One of the things I said we were going to do is we’re going to listen to the people of the province. And I think people have real concerns over Bill 29.” Meanwhile, a former inmate at the Ottawa-Carleton Detention Centre who was allegedly attacked by a guard has been denied access to his medical records, Ottawa Citizen reports. [The Globe and Mail


WW – Researcher Identifies 212 Data Brokers; Fewer Than Half Allow Opt-Outs

Journalist and author Julia Angwin recently sought to find the information commercial data brokers store about her, she reports on her blog. During her research, she discovered some of the data was incorrect—one broker asserting she was a single mother with no education—and decided to opt out. But less than half of the 212 data brokers Angwin identified offered opt-outs—there are no laws requiring they do so. In this post, Angwin provides two downloadable spreadsheets for users to both identify data brokers and then decipher which of them allow opt-outs. [Privacy Tools] [DATA PRIVACY DAY: 56% are worried about the internet eroding their personal privacy]

WW – Which Information Do Consumers Most Closely Guard?

Though consumers don’t always know how companies collect their data, which often causes a “trust gap,” evidence exists that consumers are still willing to exchange some of their personal information for products and services. Create With Context (CWC) recently surveyed 800 consumers to find out what information they would be willing to give up “in exchange for 50% off three different items: a gallon of milk, a large-screen television and a new car.” This Privacy Perspectives post reveals what CWC’s Ilana Westerman and Gabriela Aschenberger found, including how “97% of respondents said they’d be willing to give up at least one piece of data about themselves in exchange for a discount,” while noting that consumers don’t guard “all their information with equal vigilance.” [Privacy Perspectives] [Has a jealous lover hired hackers to get into your e-mail?] []

US – E-Receipts Helping Retailers Do More than Save Paper

Paper receipts are headed toward extinction, as e-receipts increasingly become commonplace. But e-receipts may serve more of a purpose for merchants than is obvious. “Merchants see digital receipts as a way to ‘engage’ with their customers. Translation: They see this as a new marketing channel—an efficient way to sell you more stuff,” the report states. While collecting customer data can be difficult, e-mailing receipts is “a fairly effective and simple way to get accurate contact points for your customer base,” says one CEO. A recent Epsilon International report found that 83% of retailers offering e-receipts did so to obtain a customer’s e-mail address. [Today]

US – Ad Agencies More Worried About Scale than Privacy

At a recent meeting of digital ad agencies, representatives indicated a lack of concern about the future safety of customer data, despite recent hacks at Target, Neiman Marcus and Snapchat. The agencies said clients are excited about hyper-location data tools. Asked what the biggest hurdles may be to marketing on mobile and whether privacy and security were top-of-list, agencies instead cited a need for bigger audiences and getting technology startups to explain how their tracking products work. The director of mobile strategy at Horizon Media said while clients are excited about new data, they rely on the ad agencies to be sure privacy issues are addressed. [Forbes]


US – White House Launches Future of Privacy Review

John Podesta, a counselor to the president, announced in The White House Blog he will lead a review on how “Big Data will affect the way we live and work; the relationship between government and citizens, and how public and privacy sectors can spur innovation and maximize the opportunities and free flow of this information while minimizing the risks to privacy.” Podesta will be joined by the secretaries of commerce and energy as well as science and economic advisors and “other senior government officials” to “help identify technological changes to watch; whether those technological changes are addressed by the U.S.’s current policy framework, and highlight where further government action” may be needed. [White House blog]

US – Justice Dept. to Allow More Transparency; More Surveillance Programs Revealed

Ahead of President Barack Obama’s annual State of the Union speech on what many in the privacy community know as Data Privacy Day, the Justice Department agreed to let technology companies disclose more data to the public on national security requests. The agreement will allow companies—including Facebook, Apple, Microsoft, Google and Yahoo—to publish additional aggregate information, including, for the first time, Foreign Intelligence Surveillance Court requests. This roundup for The Privacy Advisor looks into the agreement and what’s expected from Obama’s State of the Union address tonight, as well as new documents leaked by Edward Snowden on the U.S. NSA and UK’s GCHQ surveillance programs. [Privacy Advisor] See also: [Federal government tweets take weeks to produce]

US – State Department Inspector Finds Security Issues Remain Unaddressed

According to an audit report from the Office of Inspector General (OIG), there are “significant and recurring weaknesses in the Department of State information system security program.” The IG was critical of the department’s failure to address security problems found in previous audits. [GovInfoSecurity] [] See also: [B.C. auditor-general warns of cyberthreats]

CA – Spy Agency’s Work With CSIS, RCMP Fuels Fears of Privacy Breaches

Canada’s foreign-intelligence surveillance agency received nearly 300 requests for assistance from domestic security agencies over a four-year period – a degree of collaboration that is raising alarm bells for privacy advocates. A disclosure from Communications Security Establishment Canada, obtained by The Globe through an Access to Information request, shows the Canadian Security Intelligence Service sought help from CSEC 205 times between 2009 and 2012. The RCMP made 85 such requests during the same time span. These “support to lawful access” figures – which have never been released before – show that close collaboration with other federal agencies is routine for Canada’s electronic-eavesdropping agency.Watchdogs and judges have recently raised concerns that ill-considered intelligence collaborations can lead to illegal wiretapping, wrongful arrests – or even violence against travelling Canadian suspects who are red-flagged to intelligence agencies operating overseas. On Tuesday, the Office of the Federal Privacy Commissioner called upon CSEC to “proactively disclose” just how much it is working with the other federal agencies. [Source] See also: [REPLAY: Ontario Privacy Commissioner Ann Cavoukian’s International Privacy Day 2014 Event “Big Surveillance Demands Big Privacy –

Enter Privacy-Protective Surveillance“] [Source] and [NSA Spying Sends Data to Canada]

US – DHS Warns Contractors of Data Breach

The US Department of Homeland Security (DHS) has notified contractors that sensitive data belonging to their companies, including private documents and bank account information, were compromised in a security breach. The incident affects at least 114 companies that bid on a DHS Science and Technology Division contract last year. [DarkReading] [KrebOnSecurity]

US – Website Marketing Driver Records Scrutinized

Did you know the state sells your driving information and has been doing so for decades? Now the process is ready to be brought online and that’s raising concerns about identity theft. “We’re literally selling the personal information of people who register their vehicles in Connecticut to private insurance companies,” said Sen. Robert Kane, R-CT. Kane said he’s worried about what will happen when the state puts all of that information online. In the past, companies would have to request the information they need and would receive it in large data files. Last year the state made more than $20 million by selling driver’s license information to companies. [Source] See also: [Site lets Swedes snoop on friends’ criminal past]


WW – Yahoo Resetting Passwords After Compromise Attempts

Yahoo has reset passwords for Yahoo Mail accounts that appear to have been compromised. Yahoo said that the attackers had likely stolen usernames and passwords from a third-party database and attempted to use the information to log into Yahoo Mail accounts. Users whose accounts were affected received messages from Yahoo notifying them of “unusual activity on the network.” [Internet Storm Center] [CNN] [ComputerWorld] [TheRegister] [Ars Technica] and: [US: No sixth sense: ‘123456’ is worst password of 2013] and also: [How Canada’s Anti-Spam Enforcers Will Cooperate, Coordinate, Share Information]

Electronic Records

US – Students Expelled After Hacking Into School Computers

A California high school has expelled 11 students “accused of using keyloggers to spy on their teachers’ computer systems, infiltrate the network and change their grades electronically”—the maximum discipline penalty allowed by the education code. The students allegedly worked with a tutor to learn how to hack into Corona del Mar High School’s systems with the goal of changing their grades and stealing tests, the report states, noting police are seeking to interview the tutor. Officials have said they are unsure how many grades were changed, but a total of 52,000 grades issued over a one-year period are being audited. [CNet]

US – ND Leads Nation in Electronic Medical Records Use

In North Dakota, medical records are more likely than other states to be stored electronically rather than in a paper folder. A report this month from the national Centers for Disease Control and Prevention said North Dakota health care providers are ahead of the rest of the country in adopting electronic systems to manage patient records. According to the report, 82.9% of North Dakota’s office-based physicians use a basic electronic health record system. The next highest rate was in Minnesota, with 75.5%. New Jersey’s rate was the lowest, at 21.2%. The study defines a basic records system as one that allows doctors to access patient history, demographics, patient problems, clinical notes, medications and allergies, test results and other information. The national average for adoption of basic systems was 48% in 2013. The average for doctors using any type of electronic records, other than for billing, was 66%. North Dakota is part of a cluster of states with significantly higher than average adoption, including South Dakota, Minnesota, Iowa and Wisconsin. [Source]

NZ – Patients to Run Health Care Online

The face of New Zealand healthcare will change before the year is out as Kiwis are signed into patient portals allowing them to self-manage their medical records, book doctor appointments and chat to their GP online. The new multi-million dollar electronic healthcare system is a hybrid of internet banking and social networking – giving patients a secure account to view their medical records and test results, but also a private platform to instantly message their GP. National health IT board director Graeme Osborne said the patient portal service was “ground-breaking”. It would empower Kiwis to take control of their own healthcare. More than 50 per cent of the country’s general practices would be using the service by the end of 2014, he said. [Source]


WW – Cryptographers, Others Sound Off on NSA Programs

There is pressure on the U.S. government to reform the NSA’s surveillance programs, most recently from more than 50 cryptography experts in an open letter published this week. “The value of society-wide surveillance in preventing terrorism is unclear, but the threat that such surveillance poses to privacy, democracy and the U.S. technology sector is readily apparent,” the letter reads. Meanwhile, the Republican Party passed a resolution at its annual meeting on Friday condemning the NSA’s massive collection of data. Stanford Center for Internet and Society’s Jennifer Granick writes on the Privacy and Civil Liberties Oversight Board’s report that NSA data collection is illegal. [The Verge]

US – Lavabit Case Highlights Legal Fuzziness Around Encryption Rules

The now-defunct e-mail encryption service Lavabit founder Ladar Levison’s fight against contempt-of-court orders. The case involves Levison’s refusal to hand over data on a particular user—rumored to be Edward Snowden—when the government came knocking for it; specifically, they wanted Levison’s SSL keys—which unencrypt encrypted data. Three judges for the Fourth U.S. Circuit Court of Appeals in Virginia are hearing the case, one of whom criticized the FBI agents involved in the case for not working with Lavabit to overcome the technical obstacles that delayed Levison’s eventual compliance. The government does not plan to prosecute Levison for obstruction of justice for shutting down Lavabit, the report states. [CIO] See also: [Footage released of Guardian editors destroying Snowden hard drives] [Footage of the hard drives being destroyed]

EU Developments

EU – German Court of Justice Clarifies Rules on Credit Scoring, Access

Germany’s Federal Court of Justice has clarified data subjects’ rights of access to their credit scores under the Federal Data Protection Act. Hunton & Williams’ Privacy and Information Security Law Blog reports that “while credit reference agencies must disclose all personal data referred to in the Federal German Data Protection Act,” they do not have to disclose their methods in determining the score.

EU – Making a Privacy Law for the 21st Century

With the EU’s proposed General Data Protection Regulation (GDPR) hanging in the balance, some think it a good time to go back to the drawing board. “Better, I think, to start again and design a good law than to adopt legislation for the sake of it—no matter how ill-suited it is to modern-day data processing standards,” writes Field Fisher Waterhouse Partner Phil Lee, who reflects on what a “21st-century data protection law ought to achieve, keeping in mind the ultimate aims of protecting citizens’ rights, promoting technological innovation and fostering economic growth.” [Privacy Perspectives] See also outgoing European Data Protection Supervisor Peter Hustinx has agreed to stay on the job until October after the European Commission rejected the candidates seeking to replace Hustinx. [Confusion over EU data protection watchdog resolved]

UK – Court Confirms Privacy Tort and Addresses Meaning of Personal Information

On January 16, 2014, the English High Court of Justice issued reasons in Vidal-Hall v. Google Inc. relating to an appeal of a Master’s decision to allow Google to be served outside of the jurisdiction in relation to claims brought in connection with tracking and collating, information relating to the claimants’ internet usage through the claimants’ Apple Safari internet browser. Importantly for the UK, the High Court explicitly recognized the tort of misuse of private information (at para. 70). Perhaps more far-reaching, at least from the perspective of the ongoing debate in Canada and elsewhere concerning the boundaries of what is “personal information”, the High Court addressed the argument that the information generated by the claimants’ searches and used in interest-based advertising was not really personal information. Spoiler alert. The court followed similar logic as the Office of the Privacy Commissioner of Canada in its online behavioural advertising guidance. [Source]

US – Regulation Won’t Be Adopted Before May Elections

With several member states aiming to water it down, the revised data protection law will not be adopted before European Parliament elections in May. EU Justice Commissioner Viviane Reding and the lead negotiators on the package agreed to set the deadline for before the end of the year. German Green MEP Jan Philipp Albrecht said the timetable established seeks a mandate for negotiations in June, adding, “If it will be possible to stick to this timetable, this would be good news and important.” The member states aiming to soften the regulation—UK, Denmark, Hungary and Slovenia—would prefer to see it turned into a directive instead. [EUObserver]

US – Reding Calls for Billion-Dollar Fines

European Commission Vice President Viviane Reding is calling for larger fines against companies that breach the EU’s privacy laws. Reding “dismissed recent fines for Google as ‘pocket money’ and said the firm would have had to pay $1 billion under her plans for privacy failings,” the report states, noting she believes increased punishments are needed to encourage firms to take personal data use more seriously., meanwhile, reports the EU’s Court of Justice “is set to rule in a case involving Google and the judgment could offer some clarity about which local data protection rules will apply to multinational Internet service providers that process personal data abroad but have a business presence in a local jurisdiction.” [BBC News]

EU – EU Has Secret Plan for Police to ‘Remote Stop’ Cars

The EU is secretly developing a “remote stopping” device to be fitted to all cars that would allow the police to disable vehicles at the flick of a switch from a control room. Confidential documents from a committee of senior EU police officers, who hold their meetings in secret, have set out a plan entitled “remote stopping vehicles” as part of wider law enforcement surveillance and tracking measures. “The project will work on a technological solution that can be a ‘build in standard’ for all cars that enter the European market,” said a restricted document. The devices, which could be in all new cars by the end of the decade, would be activated by a police officer working from a computer screen in a central headquarters. Once enabled the engine of a car used by a fugitive or other suspect would stop, the supply of fuel would be cut and the ignition switched off. The technology, scheduled for a six-year development timetable, is aimed at bringing dangerous high-speed car chases to an end and to make redundant current stopping techniques such as spiking a vehicle’s tyres. The proposal was outlined as part of the “key objectives” for the “European Network of Law Enforcement Technologies”, or Enlets, a secretive off-shoot of a European “working party” aimed at enhancing police cooperation across the EU. [Source]

Facts & Stats

WW – A New Handy Guide to Global DPAs

The legal world is still fond of reference books. How many of you have giant binders on your shelves into which you insert this year’s latest update on some area of law or other? For a quickly changing legal environment like privacy, though, your binder fills up fast. Pretty soon, you need another binder. Luckily, we have the Internet. DLA Piper has attacked the problem of surveying the world’s data protection laws and regulations with a handy online and interactive guidebook for which they’ve released version 2.0 just in time for Data Privacy Day. [The Privacy Advisor]


WW – Microsoft Hints Overseas Users Can Store Data Outside U.S.

Microsoft General Counsel Brad Smith has suggested that overseas users will be able to store their data outside of the U.S., in what Reuters reports as “the most radical move yet by a U.S. technology company to combat concerns that U.S. intelligence agencies routinely monitor foreigners.” According to Financial Times, Smith said users “should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.” As one example, Smith said, Europeans could choose to store their data in Microsoft’s data center in Ireland. [Reuters]


CA – Law That Hides Massive Health Privacy Breach from Patients Is Useless

When nearly one-sixth of all Albertans have their medical information stolen, and nobody says a damn thing about it for nearly four months, a lot of people are going to be very angry. Fred Horne, for instance. He’s the health minister. He was also a patient at a Medicentres clinic, the group whose information technology “expert” left a laptop loaded with 620,000 patient records lying around. He makes the crucial point: “We need to think about who was left out of this equation — the patient.” Patients and the public should have been told within days — by the Edmonton police, the Medicentres group and most certainly by Alberta’s Information and Privacy Commission, which was informed right at the start but sat on the information. [Source] [Four other cases of stolen health data in Alberta] [Minister ‘outraged’ over stolen laptop holding 620,000 Albertans’ health data]

CA – Former Inmate Denied Access to Own Medical Records

A former Ottawa-Carleton Detention Centre inmate who was allegedly viciously assaulted by a guard has been denied access to his own medical records. The Ministry of Community Safety and Protective Services refused to provide Jean Paul Rheaume with his medical records from the jail on the basis that the information was a record relating to the ongoing prosecution of his alleged attacker. The Information and Privacy Commissioner of Ontario upheld the decision. This week, Rheaume requested a divisional court overturn that decision. In a court filing seeking to overturn the ruling, Rheaume’s lawyer argued the effect of the Information and Privacy Commissioner’s ruling “is the perverse result that a victim of crime is denied access to his medical records.” [Source]


US – Will Transparency Calm Concerns Over Government Access?

In light of the agreement by the U.S. Department of Justice to allow Internet companies to disclose more aggregated data on law enforcement requests for access to user information, Hogan Lovells’ Christopher Wolf delves into whether increased transparency will quell concerns over government access. Wolf writes, “The transparency reports, which soon will have greater granularity, should help the world understand that the U.S. is hardly alone in its national security practices and that reform needs to be viewed as a global concern.” [Privacy Perspectives]

US – DOJ Relaxes Gag Order on Government Data Requests

In response to legal challenges from tech companies, the US Justice Department (DOJ) has agreed to relax the gag orders that accompany certain government requests for data. Companies are now permitted to release information about the numbers of National Security Letters (NSLs) and Foreign Intelligence Surveillance Court (FISC) requests they receive; those numbers must be reported within ranges of 1,000. The companies may also release information, again in the broad ranges, of the number of customer accounts affected by the requests. If the companies choose to combine the data for NSL and FISC requests, they may publish within ranges of 250. The data may be published every six months with a six-month delay. The DOJ has also imposed a two-year delay on reporting statistics from the date “the first order … is served on a company for a platform, product, or service … for which the company has not previously received such an order.” [WashPost] [NYTimes] [WIRED] [FISA Court Notice]


SK – Commissioner Fines Google Over Street View

South Korea’s communications regulator is fining Google over its Street View operations there. It’s the regulator’s first fine of a global company for privacy violations. The $196,000 fine results from the collection of residents’ personal data while the company took pictures for its Street View service. The move follows similar actions in Canada and France, among other jurisdictions. “This commission will punish those who collect information of the Korean public without exception,” said Korea Communications Commission Chairman Lee Kyung-jae. [The Korean Herald]

US – Google Privacy Lawsuit Revised, Says Execs Made “Conscious Decision”

Bloomberg reports on a revised privacy lawsuit against Google. The suit alleges the company comingled data across its services and products—in a Google project called Emerald Sea. U.S. Magistrate Judge Paul Grewal ruled in December that the plaintiffs failed to demonstrate harm caused by Google’s actions, and for the case to proceed, the plaintiffs must show how the comingling of data deprived them of the “economic value” of their data, the report states. Thursday’s revised complaint alleges Google executives in 2010 “made a conscious decision to withhold from the public information pertaining to the Emerald Sea plan, including Google’s intention to violate all existing privacy policies that placed any limitations on Google’s ability to combine information across platforms by doing precisely that once Emerald Sea became a reality.” [Full Story]

WW – Second-Hand Chrome Extensions Are Being Turned into Adware

At least two Chrome browser extensions that were sold have been used by their new owners to launch aggressive advertising campaigns. A developer reported last week that after he sold his extension, it was turned into adware. That extension had more than 30,000 users before it was sold. Another developer reported a similar incident. Chrome extensions are updated in the background without user interaction unless the extension’s permissions are changed. The adware, which works in the background to inject specific ads into the sites users visit, violates the Chrome Web Store developer program policies. Google has banned the two now-questionable extensions from the Chrome Store. It is possible that second-hand extensions could be used for more malicious purposes. [ComputerWorld] [ZDNet] [LATimes]

Health / Medical

US – Is Policy Needed for “Personal Representative” PHI Disclosures?

Federal health IT advisors are struggling with whether new policies are needed to address an ongoing and increasingly common HIPAA issue likely to grow as baby boomers age. The issue at hand is caregiver, family member and “personal representative” access to patients’ personal information, the report states; HIPAA’s privacy rule requires covered entities to provide someone authorized under state law to act on a patient’s behalf with access to their personal health data. The Health IT Policy Committee’s Privacy & Security Tiger Team Co-Chair Deven McGraw discussed whether policy should be developed on the matter or if “best practices” recommendations would suffice. [Government Health IT]

US – World Privacy Forum Releases New HIPAA Report

The World Privacy Forum (WPF) has released a new report on a recently added option within the Health Insurance Portability and Accountability Act (HIPAA) on the right to restrict disclosure. Co-written by WPF Founder and Executive Director Pam Dixon and privacy and information policy consultant Bob Gellman, Paying out of Pocket To Protect Health Privacy: A New but Complicated HIPAA Option; A Report on the HIPAA Right To Restrict Disclosure looks into this new right as it “will take effort and planning for patients to utilize effectively,” the WPF press release states. [WPF] [AB: Former privacy czar says tougher laws needed in wake of latest health breach]

Horror Stories

US – OfficeMax Blames Data Broker for “Daughter Killed” Mailing

In one of the latest developments in the headline-making story of a targeted mailing sent to a Chicago man with the disturbing words “Daughter Killed in Car Crash or Current Business” as part of the address OfficeMax has said it “unintentionally bought (that information) from a third-party data broker.” OfficeMax requested a mailing list from the broker “for Businesses, Small Offices and Home Offices … NO personal information qualifiers were part of our request; we were not seeking personal information and did not ask for it,” a company spokesperson wrote. “As an additional measure to prevent future mailing errors, we have upgraded the filters designed to flag inappropriate information.” [Forbes]

US – Target Breach Used Stolen Vendor Access Credentials

A Target spokesperson said that the breach that compromised payment card details and personal information of millions of the retailer’s customers came about through credentials stolen from a vendor. A preliminary look at the malware used in the breach suggested that the attackers may have exploited a vulnerable feature in IT management software on the company’s internal network. [GovInfoSecurity] [ZDNet] [Ars Technica] [ComputerWorld] [KrebsOnSecurity] [InformationWeek] See also: [Visa Issued Alerts Last Year About Type of Attack Used Against Target and Neiman Marcus] and [Laptops Stolen From Coca-Cola Contained Unencrypted Employee Data] and [Stolen Laptop Contains Health Data of 620,000 Alberta, Canada Residents] and [Personal information from 100 million South Korean credit cards stolen]

US – LabMD: FTC Investigation Forced Closure

Atlanta-based LabMD shut down its operations this week due to the ongoing FTC investigation over a data breach there, Computerworld reports. LabMD CEO Michael Daugherty says the FTC’s investigation is an “abuse of power” and has accused the FTC of overstepping its authority in its pursuit of LabMD. He added that the small company is “exhausted” from the last four years, during which the FTC has subpoenaed dozens of LabMD employees, required executives to travel to give depositions and requested information from the company. [ComputerWorld]

Identity Issues

US – Twitter Account Lost to Extortionist

A California man claims to have lost his Twitter account to an extortionist who was allegedly holding the man’s other online accounts and services hostage. Naoki Hiroshima has been using the @N Twitter account since 2007 and says that there have been numerous other attempts to steal it. The extortionist managed to gain control of Hiroshima’s domain name and through that, was able to control Hiroshima’s email. Hiroshima surrendered the Twitter handle to regain control of the domain names, and was also able to get the hacker to tell him how he managed to gain control of the domain names in the first place. [TheRegister] [ArsTechnica] [eWeek]

US – FTC Settles Safe Harbor Charges Against 12 Companies

The FTC has settled with 12 U.S. companies over charges the companies falsely claimed they were abiding by Safe Harbor rules. The companies involved spanned various industries, including mobile apps, DNA testing and professional sports. The complaints filed by the FTC state the companies allowed their EU-U.S. Safe Harbor certifications to lapse, despite claims in their privacy policies or Safe Harbor certification marks indicating otherwise. Three of the companies were also charged with falsely claiming to abide by the U.S.-Swiss Safe Harbor framework. The settlements, which follow criticism from the European Commission that the Safe Harbor framework has not been effectively enforced, are now open for public comment. FTC Chairwoman Edith Ramirez said Safe Harbor enforcement is a priority and the cases “send a signal to companies” that they can’t falsely claim certification. In a blog post on the FTC’s site, Lesley Fair, senior attorney with the Federal Trade Commission’s Bureau of Consumer Protection, says this is fair warning that, “If you feature the Safe Harbor mark on your site or refer to your participation, remember that you must ‘re-up’ every year.” [FTC]

US – Verizon Releases First Transparency Report

In a press release on its website, Verizon has released its first transparency report for law enforcement requests in the U.S. and “other countries in which we do business.” According to the release, “Although Verizon has released a great deal of information over the past few years regarding the number of law enforcement demands we’ve received, Verizon’s online Transparency Report now makes an expanded data set more easily accessible.” The company said it will update the report semi-annually. Verizon also said it saw an increase in the number of law enforcement demands in 2013, as compared to 2012. [Source]

Intellectual Property

US – Farmers Warned About Sharing Data with Monsanto, Others

Services Midwest farmers can sign up for allowing “big agribusiness” to collect data “minute by minute, as they plant and harvest their crops … promising to mine that data for tips that will put more money in farmers’ pockets.” However, the American Farm Bureau Federation is warning farmers to be cautious, the report states, suggesting such services “could threaten farmers’ privacy and give the big companies too much power.” One participant in an experimental data-sharing system from Monsanto said, “My theory is, if they have my information, and they’re out there working with me, I’m hoping that they’re going to bring me a better product.” [NPR] See also: [This Google Glass user went to the movies. Then he got interrogated for about four hours]

EU – Study Says France’s Three-Strike Policy Has Not Curbed Piracy

A study of French Internet users found that the country’s “three-strikes” anti-piracy policy has had little to no effect on users obtaining pirated content. The policy “has not deterred individuals from engaging in digital piracy [nor has it lessened] illegal activity of those who did engage in piracy,” according to the report’s authors, researchers at the University of Delaware and the University of Rennes. The report does mention another study that found a 20-25 percent increase in sales of French music on iTunes shortly before the law took effect, but they say it was due to “public education efforts” instead of the law itself. [ArsTechnica] [SSRN]

US – Accessing Proprietary Data With Valid Credentials Not a Violation of CFAA

The US District Court for the Northern District of California has dismissed a lawsuit against Keith Freedman, who was accused of accessing and copying information from his former employee’s servers. The suit alleged that Freedman had violated provisions of the Computer Fraud and Abuse Act (CFAA). Freedman used valid credentials to access the information, according to the court, which does not constitute a violation of the CFAA. Freedman was accused of accessing his former employer’s data while using access credentials issued to one of the firm’s customers while Freedman was doing work for both companies. US Magistrate Judge Paul Grewal wrote, “CFAA regulates access to data, not its use by those entitled to access it.” [ComputerWorld] [CourthouseNews]

EU – Dutch Court Lifts Ban on the Pirate Bay

A Dutch court has lifted a ban on The Pirate Bay, allowing Internet service providers to permit users to access the torrent site. The Dutch Court of Appeals in The Hague determined that a ban on The Pirate Bay had proven to be ineffective at stopping piracy. The court found that while the block order reduced traffic to The Pirate Bay, torrent levels did not decline. Users determined to obtain copyrighted material illegally were finding ways of obtaining the content. The ruling also means that the anti-piracy group that brought the original case must now pay ISPs 400,000 euros (US $542,000) in legal costs. That group, Brein, is considering taking the case to the country’s Supreme Court. [BBC] [SC Magazine]

Internet / WWW

WW – New Whitepapers on Cloud Computing

The IAPP has recently posted four articles by Kuan Hon, Christopher Millard, Ian Walden and Julie Hornle of Queen Mary University of London. The articles cover topics including what personal data is regulated in cloud computing, who is responsible for it, jurisdiction concerns and exporting data outside the European Economic Area. [IAPP Resource Center]

WW – IAPP Releases Two New Whitepapers for #DPD2014

Looking for tools to help you spread the message of privacy professionalism through your organization or community? The IAPP has released for Data Privacy Day two new whitepapers. “Privacy Polices: How To Communicate Effectively With Consumers“ is a collaboration between the IAPP, Kinsella Media and Rust Consulting and features new research on how consumers interact with privacy notices posted online. “Privacy 101 for SMEs: The Best Defense Is a Good Offense “ was written by IAPP VP of Research and Education Omer Tene and Network Advertising Initiative President and CEO Marc Groman, and provides practical advice for setting up a privacy program at, for example, a small tech start-up. Both papers are free for download and can be distributed as you see fit. [Privacy 101 for SMEs]

WW – At World Economic Forum, Industry Leaders Call for New Privacy Rules

In a blog post, Microsoft General Counsel Brad Smith has called for “an international legal framework—an international convention—to create surveillance and data access rules across borders” and has said the current legal structures are out-of-date, prompting “some governments, as we’ve learned over the past year … to take unilateral actions outside the system.” Smith is expected to take part in a World Economic Forum (WEF) panel discussion about the public perceptions of surveillance, data security and privacy in light of the NSA disclosures. BT Group Chief Executive Gavin Patterson, also speaking at the WEF, said customers cannot be guaranteed 100% privacy online and called for updates to “murky” data collection laws, The Guardian reports. Meanwhile, DW reports on Human Rights Watch’s call this week for “a clear regulatory framework to keep intelligence services in check.” [CNET News] See also: [Exit records: Crossing the border can be a matter of public concern] [Canada, U.S. to share names from border crossings] and [Dear America, I Saw You Naked]

WW – Edward Snowden Has Been Nominated for a Nobel Peace Prize

Edward Snowden spent the last year revealing some of the government’s most tightly held secrets, kicking off a massive debate about the proper role of America’s intelligence services. Now, a pair of Norwegian politicians have nominated the NSA leaker for a Nobel Peace Prize. In their nomination letter, Baard Vegar Solhjell and Snorre Valen, who hail from the Socialist Left party, said Snowden’s revelations “contributed to a more stable and peaceful world order.” [Source] See also: [Snowden Calls Russian-Spy Story “Absurd” in Exclusive Interview]

US – How To Solve Obama’s Big Data Challenge

Speaking to a group of students earlier this week, White House Deputy Chief Technology Officer Nicole Wong discussed the challenges of addressing privacy when utilizing Big Data and highlighted President Barack Obama’s recently announced Big Data study to be headed by John Podesta. By making these recent remarks and initiating this new study, “President Obama grabbed the Big Data bull by the horns,” write Future of Privacy Forum Co-Founders Jules Polonetsky, Christopher Wolf and Omer Tene. These three privacy experts lay out the potential privacy concerns while addressing “the profound impact of new technologies on Big Data business opportunities,” adding, “Big Data was all the rage in privacy circles in 2013, and now it is achieving appropriate, broad policy attention.” [Privacy Perspectives]

Law Enforcement

WW – The All-New IAPP Mobile App Privacy Tool

With nearly unlimited niches to fill and a global audience within reach, the mobile app universe can be richly rewarding—but it can also present privacy pitfalls for those who leap before they look. Regulators globally have begun to turn a watchful eye toward the privacy and security practices of mobile apps. You may now find it difficult to navigate the numerous guidance documents in order to understand what your app or mobile platform can and can’t do with users’ data. The IAPP’s Westin Research Center has launched a new tool to help with compliance requirements imposed by regulators and trade associations in both the U.S. and Europe. [Comparison of Mobile Application Guidelines Tool]

US – Officials Want Rules on Data Breach Disclosures

U.S. law enforcement officials have called on Congress to draft stricter requirements for how retailers and other private businesses should report large breaches of personal and financial data. FBI Director James Comey said political uproar over surveillance and the Edward Snowden leaks have complicated discussions about how to fight consumer data breaches, the report states. “There is the threat of fraud and theft because we’ve connected our lives to the Internet,” Comey said. “We need to make sure that the private sector knows the rules of the road and how we share that information with the government.” Meanwhile, Sen. Jay Rockefeller (D-WV) has qualms with letting a third party store NSA telephone metadata. [Reuters]

UR – Gov’t Locates Riot Participants, Sends Text Warnings

Efforts by the Ukrainian government to quiet violent protests include a text message sent to mobile phone users in the vicinity of the clashes reading, “Dear subscriber, you are registered as a participant in a mass riot.” The interior ministry has denied involvement in sending the texts, as have two telephone providers. Another provider said, “We strictly observe the confidentiality of our users, their telephone numbers and locations.” The interior ministry did say it is using video footage to arrest the most active participants in the riot. The protests were sparked by new laws on public gatherings. [The Guardian] See also: [Canadian police forces looking to arm officers with cameras]

US – San Jose Considers Tapping Private Surveillance Cameras

Under a new proposal to be heard by San Jose’s City Council next week, police would be able to tap into residents’ private video cameras. The proposal would allow property owners to voluntarily register their security cameras for a new database managed by the San Jose Police Department in order to help solve crimes. A spokesperson from the police department said it is reviewing the program’s merits and any privacy concerns. [Emergency Management]

CA – Cavoukian Seeks Limits on Sharing Medical Records With Foreign Agencies

Canadian police forces should only share sensitive mental health records with foreign agencies when a public threat can be demonstrated, says Ann Cavoukian, Ontario’s information and privacy commissioner. Her remarks highlight concerns raised in a Star story about Ellen Richardson, a disabled Toronto woman who was denied entry to the U.S. and missed out on a 10-day cruise because a 2012 “mental health episode’’ came up on a U.S. border computer. Cavoukian’s concerns and recommendation will be the centrepiece of a report she plans to present in April. Her comments came at a time when Canadian border officials are planning to share personal information obtained under a new Canada-U.S. border data-sharing program with other federal departments. The Star revealed that Ottawa and Washington will start sharing their citizens’ travel and biographic data this summer, meaning anyone from Canada travelling to or from the United States by land can have their information passed on to federal departments. [Source]


US – Personalized Ads Super Bowl-Style; SocialRadar Released

As the NFL makes last-minute preparations for the Super Bowl, The New York Times reports on plans to feature personalized ads based on physical location, both in Times Square and at MetLife Stadium. At both locations, the NFL has placed transmitters designed to send ad-based signals to smartphones. “When it rolls out, you will see all this utility for it,” said the University of Washington’s Ryan Calo, “And at some point, the economic incentives will come into play, and it won’t be pretty.” Meanwhile, a new iPhone app called SocialRadar has been released. The app aggregates data from Facebook, Foursquare, Instagram, Twitter, LinkedIn and Google+ and finds users’ social media contacts based on location and shares locations, profile data and recent posts. [New York Times] [4 Unanswered Questions About In-Store Tracking and Privacy]

WW – Researchers Create Android App to Show When Other Apps Track You

A team of researchers has developed an Android app to help people better understand when their location is being accessed, something that happens more often than people think. “All apps that access location need to request permission from the Android platform,” said Janne Lindqvist [cq], who led the research project. “The problem is that people don’t pay attention to these default disclosures.” Android phones display a flashing GPS icon when apps are trying to access the user’s location. But few people notice or understand what the icon is telling them, the researchers found. The app they developed is designed to fix that, by making it clearer to users when other apps are accessing their location data. They tried several methods, including a message that flashes on the device’s screen reading, “Your location is being accessed by [app name].” There’s no obvious way in Android for an app to monitor whether other apps are accessing location, the researchers said, but they discovered they could exploit a method in the Android Location API as “an effective side channel.” They’re in the process of readying their app for the Play Store. It doesn’t have an official name yet, but the working title is the RutgersPrivacyApp. “I’m happy to hear suggestions for a better one,” Lindqvist said. [Source]


SK – South Korean Commissioner Fines Google Over Street View

South Korea’s communications regulator is fining Google over its Street View operations there. It’s the regulator’s first fine of a global company for privacy violations. The $196,000 fine results from the collection of residents’ personal data while the company took pictures for its Street View service. The move follows similar actions in Canada and France, among other jurisdictions. “This commission will punish those who collect information of the Korean public without exception,” said Korea Communications Commission Chairman Lee Kyung-jae. [The Korean Herald]

AU – Australian Breach of Privacy Case Dismissed

A police officer’s privacy complaint against the Queensland Police Service (QPS) has been dismissed. The officer “launched legal action against the Queensland Police Service claiming his privacy had been breached when details of a raid on his home appeared in the media,” the report states. The Queensland Civil and Administrative Tribunal dismissed the complaint after finding the officer “had not substantiated his claims against the QPS,” the report states. [Brisbane Times]

AU – Data Privacy Complaints at Record High in Hong Kong

Complaints and enquiries to the Office of the Privacy Commissioner for Personal Data (PCPD) peaked in 2013 are “driven partly by new restrictions on companies’ use of their customers’ personal data for direct marketing.” The PCPD reported Thursday that more than 75% of the “complaints targeted private organisations, while more than half of the enquiries asked about the marketing restrictions,” the Office of the Privacy Commissioner for Personal Data said. The number of complaints received in 2013 was up 48% over 2012, the report states. [South China Morning Post

Online Privacy

US – Suit Accuses Facebook of Scanning Users’ Private Messages

Facebook is facing a second potential class-action lawsuit accusing it of scanning users’ personal messages to each other. In the complaint filed last week in the Northern District of California, David Shadpour says, “Facebook’s desire to harness the myriad data points of its users has led to overreach and intrusion on the part of the company as it mines its account holders’ private communications for monetary gain.” Shadpour says the practice violates California laws. The suit is similar to one filed last late year. [Media Post] See also: [On Facebook, clicking ‘like’ can help scammers]

WW – Whitepaper Imagines Cookie-Free World; Ad Choices Icon Unsuccessful?

A new whitepaper examines how online ads might function in a cookie-less world. The Interactive Advertising Bureau published “Privacy and Tracking in a Post-Cookie World,” which it calls a “first step” toward “eliminating one of the biggest limitations impacting mobile advertising today.” Meanwhile, a TRUSTe report indicates web users are increasingly concerned about online privacy, and new research suggests the Digital Advertising Alliance’s AdChoices icon, used in targeted display advertising as part of its public education campaign, hasn’t been as effective to date as the coalition may have hoped. [Wall Street Journal] See also: [Connected Cars are Here. The Good News Is That Privacy Is Being Taken Seriously]

US – AAA Unveils Consumer Rights for Car Data

The American Automobile Association (AAA) has drafted a consumer bill of rights and is urging industry to adopt it. AAA calls for transparency, choice and security and states car owners should have the right to understand what data is being collected about them, control with whom their data is shared and expect that companies will exercise best security practice. “Many connected car features are made possible through the collection of large amounts of potentially sensitive data from drivers,” said AAA CEO Bob Darbelnet, adding, “Companies collecting, using and sharing data from cars should do everything possible to protect consumer rights as they offer these exciting technologies.” [USA Today]

Other Jurisdictions

BR – 2014 Brings the World Cup and Perhaps New Privacy Laws to Brazil

The Hogan Lovells privacy team explores the impact two proposed privacy laws would have on organizations that provide digital products and services to Brazilian consumers. The Marco Civil da Internet would establish data protection requirements and preserve net neutrality, and the Data Protection Bill would establish an EU-style framework for the processing of personal data. These laws have been in limbo for the past few years, but will the fallout from U.S. government surveillance practices be the inspiration Brazilian lawmakers need to pass provisions, including some that would restrict cross-border data transfers? [Privacy Tracker]

Privacy (US)

US – Justice Department is Investigating Target Breach

US Attorney General Eric Holder says that the Department of Justice (DOJ) is investigating the Target data breach. The DOJ hopes to find the people responsible for the attack as well as people who use the stolen information. DOJ does not normally publicize its involvement in investigations. The Secret Service is also investigating the breach. [ComputerWorld] [GovInfoSecurity] [CNET] [SC Magazine]

US – Terrorism Defendant Challenging FISA Amendments Act

A man who was charged based on evidence gathered by the NSA’s warrantless surveillance programs has filed a lawsuit challenging the constitutionality of that program. Jamshid Muhtorov is a political refugee and permanent US resident from Uzbekistan now living in Colorado. Last year, the Supreme Court ruled against a suit challenging the same law because the plaintiffs in that case could not prove that their communications had been intercepted. [WashPost] [WIRED] [ComputerWorld] [CNET] [ArsTechnica] and [Motion to Suppress] [US: Terrorism suspect challenges warrantless surveillance]

US – Sens. Introduce Data Breach Legislation; Breach May Affect Hotels

A number of U.S. senators have introduced data security and breach notification legislation following the Target and Neiman Marcus incidents. Sens. Diane Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR) and Bill Nelson (D-FL) have introduced the Data Security and Breach Notification Act. The bill would require the FTC to release a set of security standards for businesses holding consumer data. Calls for chip-and-PIN technology are increasing as well. Sen. Robert Menendez (D-NJ) also plans to introduce the Commercial Bill of Rights, noting that, “Target was just the tip of the iceberg.” Representatives from Target and Neiman Marcus will testify before the Senate Judiciary Committee on Tuesday. Meanwhile, a recent PricewaterhouseCoopers survey canvassed those who oversee privacy within their organizations and found that though some data security awareness is growing, “privacy awareness isn’t quite where it should be.” In other breach news, KrebsonSecurity reports that White Lodging, a business with connections to Hilton, Marriot, Sheraton and Westin, has allegedly suffered a data breach exposing credit and debit card information on thousands of customers. [Diane Feinstein]

US – Google Denied Chance to Immediately Appeal Wiretap Ruling

U.S. District Court Judge Lucy Koh has denied Google’s request to immediately appeal her ruling that the company’s scanning of Gmail messages potentially violates the Electronic Communications Privacy Act. That means the ruling will stand for now. Koh’s ruling could have implications for Internet service providers’ common practices—even seemingly innocuous ones like scanning for viruses. “We desperately need clarity on the legal question,” said one law professor, adding it could be months, years or longer before that arrives. [MediaPost News]

US – Will FTC’s Recent Safe Harbor Settlements Quench Europe’s Thirst for Enforcement?

The FTC last week announced it had settled with 12 U.S. companies over charges they let their Safe Harbor certifications lapse but still indicated they were certified. Was the move a response to recent criticism from the EU? The FTC said it was business as usual. But does it at least indicate more enforcement to follow? Will the EU be placated? FTC Commissioner Julie Brill said she does not “believe these settlements were reached because of pressure from the European Commission or anyone else.” But some say the settlements were expected and the “ball was in the FTC’s court after the developments in Europe.” The researcher who filed the complaints said he supports all but one of the settlements. [The Privacy Advisor] See also: [Vladeck Discusses FTC Enforcement Past and Present]

US – Plaintiffs Ask Appeals Court to Revive Facebook, Zynga Complaints

Plaintiffs are asking the Court of Appeals, San Francisco, to revive complaints filed in 2010 and dismissed a year later, seeking that Facebook and Zynga “be ordered to face claims that users’ identities and activities on the social networking platforms were disclosed to third parties without their consent.” Judge Richard Tallman said Congress could not have envisioned “the alleged violations of the Stored Communications Act in its ‘wildest dreams’ when it wrote the law,” the report states. He indicated he was “skeptical anyone was misled by the privacy policies that are being challenged” but acknowledged “there has to be substantial value to the information” or companies would not gather it, the report states. [Bloomberg Businessweek]

US – FTC Settles Safe Harbor Charges Against 12 Companies

The FTC has settled with 12 U.S. companies over charges the companies falsely claimed they were abiding by Safe Harbor rules. The companies involved spanned various industries, including mobile apps, DNA testing and professional sports. The complaints filed by the FTC state the companies allowed their EU-U.S. Safe Harbor certifications to lapse, despite claims in their privacy policies or Safe Harbor certification marks indicating otherwise. Three of the companies were also charged with falsely claiming to abide by the U.S.-Swiss Safe Harbor framework. The settlements, which follow criticism from the European Commission that the Safe Harbor framework has not been effectively enforced, are now open for public comment. FTC Chairwoman Edith Ramirez said Safe Harbor enforcement is a priority and the cases “send a signal to companies” that they can’t falsely claim certification. In a blog post on the FTC’s site, Lesley Fair, senior attorney with the Federal Trade Commission’s Bureau of Consumer Protection, says this is fair warning that, “If you feature the Safe Harbor mark on your site or refer to your participation, remember that you must ‘re-up’ every year.” [Full Story]

US – SCOTUS to Hear Cellphone Privacy Cases

The Supreme Court has agreed to hear two cases involving warrantless searches by law enforcement of suspects’ cellphones. The two cases—Wurie v. U.S. and Riley v. California—were granted cert by the court. In Riley, police searched a suspect’s text messages, photos and videos, finding evidence of gang-related activity and images implicating him in a separate crime. In Wurie, law enforcement went through the call logs of the suspect. The Electronic Frontier Foundation’s Hanni Fakhoury said, “These cases give the court the chance to determine to what extent the Fourth Amendment applies to newer technologies and whether the breadth and scope of information stored on a smartphone matters under the Constitution. We think it does and hope the Court agrees with us.” [Politico]

US – Is a Constitutional Amendment the Answer to Restricting Data Collection?

Privacy scholar and National Constitution Center President and Chief Executive Jeffrey Rosen has opined that a constitutional amendment may be needed to “prohibit unreasonable searches and seizures of our persons and electronic effects, whether by the government or by private corporations like Google and AT&T.” But Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center, disagrees. Thierer explains why there “are several problems with Rosen’s proposal—legal, economic and practical” and writes “that better alternatives exist to deal with the privacy concerns he identifies.” [Privacy Perspectives]

US – Judge: Plaintiffs Sufficiently Allege Legal Duty in Sony Case

While U.S. District Judge Anthony Battaglia shot down parts of the class-action suit against Sony over its 2011 hacking incident, he did allow certain claims through, including one related to Sony’s legal duty to provide reasonable security. Battaglia wrote that “because plaintiffs allege that they provided their personal information to Sony as part of a commercial transaction, and that Sony failed to employ reasonable security measures to protect their personal information, including the utilization of industry-standard encryption, the court finds plaintiffs have sufficiently alleged a legal duty and a corresponding breach.” []

US – TeleCheck to Pay $3.5M for FCRA Violations

The FTC announced that TeleCheck Services, a check authorization service company, along with its associated debt-collection entity, TRS Recovery Services, has agreed to pay $3.5 million as part of a settlement. The FTC charged the firm with violating the Fair Credit Reporting Act (FCRA) by not following proper dispute procedures and sometimes not investigating disputes at all when consumers had their checks denied by retailers based on TeleCheck’s information. Further, the FTC claimed TRS did not abide by the “Furnisher Rule,” which mandates that those providing credit information ensure that information’s accuracy and integrity. The settlement amount is the second-largest for a FCRA violation. [Source]

US – MRA Names Top 10 Gov’t Officials in Privacy

In recognition of Data Privacy Day, the Marketing Research Association has published a list of the “Top 10 Government Players in Consumer Data Privacy in 2014.” The list is topped by President Barack Obama for his multi-stakeholder approach to the White House’s Consumer Privacy Bill of Rights and his efforts to “demonize” private-sector data collection. The list also includes FTC Chairwoman Edith Ramirez, Sen. Jay Rockefeller (D-WV), FTC Commissioners Julie Brill and Maureen Ohlhausen, and Sen. Al Franken (D-MN), among others. [MRA] [Stay Safe Online [B.C. proclaims Tuesday, January 28 “Data Privacy Day.”]

US – Rodriguez Is Leaving OCR: A Look at His Legacy

News that President Barack Obama has nominated Department of Health and Human Services Office for Civil Rights (OCR) Director Leon Rodriguez to direct U.S. Citizenship and Immigration Services has spiked the heart rates of some in the healthcare industry. The Privacy Advisor reports on this shift, which would leave the OCR director post vacant for the foreseeable future—and at an historic juncture. While HIPAA passed in 1996, its rules were enforced more like suggestions than federal mandates during the early years. But when Rodriguez took his post as OCR director in 2011, armed with powers granted under HITECH, the tone shifted, healthcare insiders seem to agree. As his departure looms, who will take his place and how will HIPAA enforcement change? [Privacy Advisor]

US – Federal Guidance on Breach Notification Would Ease Way for Businesses

Although many businesses balk at the idea of government regulation, some now appear to want the government to establish federal standards for data breach notification policies. Currently, companies must navigate a jumble of rules in 46 states and the District of Columbia regarding breach notification, which is a compliance nightmare. Legislators opposed to regulation may be hard to convince that the move would benefit businesses. Others are concerned that a national standard would weaken laws in states that havemore stringent requirements in place. [NextGov]

US – Judge Who Ruled NSLs Unconstitutional Enforces New Orders

US District Judge Susan Illston, who last year ruled that the government’s use of National Security Letters (NSLs) is unconstitutional, has since enforced several of those same orders. In March 2013, Judge Illston ordered the government to stop using NSLs as they unconstitutionally impinge free speech. She also ordered the government to stop enforcing the gag order imposed by NSLs that had already been issued. Judge Illston’s logic is that because the Ninth Circuit court will be hearing the appeal of her ruling, it would be best to maintain the status quo until that court issues its ruling. [WIRED]

Privacy Enhancing Technologies (PETs)

WW – Whitepaper Highlights Emerging Privacy Engineer Discipline

A new whitepaper surveying the emerging discipline of privacy engineering has been released. Co-written by Ontario Information and Privacy Commissioner Ann Cavoukian, Stuart Shapiro of the MITRE Corporation and Enterprivacy Consulting Group’s R. Jason Cronk, Privacy Engineering: Proactively Embedding Privacy, by Design “seeks to promote a broader understanding and deeper practice of privacy engineering.” [PbD] In a Privacy Perspectives installment, Cronk wrote, “ Is 2013 the Year of the Privacy Engineer? See also: [Opinion: Privacy Is Not Dead; Innovate for the Future] and [Innovate Privacy for the Future, But Don’t Get ‘Privacy Twisted’]

EU – Privacy Proving to be Tech Industry Driver

With “some of the world’s toughest privacy laws,” “an unusually large number of hackers and security experts” and “a deep appreciation for privacy among the German people,” Germany is seeing entrepreneurs in the wake of the Snowden revelations looking to privacy-focused business models. Germany is now home to start-ups ZenGuard, an encryption service; Blippex, a search engine “built with user privacy in mind,” and Arriver, “a social navigation tool developed on the principle of neutrality.” State-level business support is available to these start-ups through innovation funding programs, and Arriver CEO Felix Langhof says, “The privacy relevance is only just beginning to dawn on all of us.” [Forbes] See also: [Privacy Engineering: Proactively Embedding Privacy, by Design]

US – Privacy Appendix Dropped from NIST Framework

Nearly a month prior to the final release of its Cybersecurity Framework, the National Institute of Standards and Technology (NIST) has announced it will not include with it a separate appendix for privacy controls. According to the update from NIST , a separate methodology for privacy and civil liberties “did not generate sufficient support.” Sources said the appendix was added late in the process and caused trepidation and uncertainty. There were also concerns regarding corporate liability, particularly in the face of a data breach. NIST will instead incorporate a methodology developed by Hogan Lovells Partner Harriet Pearson. In comments submitted to NIST, Pearson wrote, “To incentivize use of the Cybersecurity Framework, the privacy methodology must be clear and straightforward for the private sector to use.” [FierceGovernmentIT]


US – DMA Releases Guidelines on Breaches; Retail Association Launches Initiative

The Digital Marketing Association says it will be releasing new guidelines for best practices on data breach protection. The guidelines will include advice on data minimization, transparency on data use and cleaning and purging instructions. Meanwhile, a liability insurer at KPMG says the firms that need cyber insurance the most aren’t investing in it. Following the Target breach, the Retail Industry Leaders Association has launched an initiative to provide additional safeguards for consumer transactions, and the co-founder of a new service says it has struck the right balance between employee privacy and corporate security. [Broadcasting Cable] See also: [Top 10 Influencers in Government InfoSec]

WW – The Internet of Things: Software Flaw Allows Remote Access to Video

A security weakness in software used in webcams, IP surveillance cameras (also known as webcams), and baby monitors from Foscam could be exploited to remotely view live and recorded video. All the attackers would need to know is the targeted device’s Internet address; in many cases, attackers could bypass the authentication prompt by clicking “OK”. Foscam planned to issue a firmware security update by January 25. [KrebsOnSecurity] [PCWorld] []

RU – Olympics Security Trumps Privacy at Sochi

“Unprecedented” security measures are being taken around the upcoming Olympic Games in Sochi, Russia. With terrorist groups threatening the safety of the participants and fans, Russian President Vladimir Putin has bolstered a “ring of steel” around the venues with “an unmatched level of monitoring in cyberspace,” the report states. With help from the U.S., Canada and other nations, people attending the games have been warned to expect to be under surveillance at all times—including via telecommunications, the Internet and physical movement. [QMI Agency] See also: [Cybersecurity AWOL in State of the Union]

WW – Study Uncovers Tor Sabotage; Privacy Tools Used by 28 Percent Globally

A group of computer scientists has found at least two dozen computers actively trying to sabotage the Tor privacy network. The newly released paper, Spoiled Onions: Exposing Malicious Tor Exit Relays, is one of the first studies to document exit nodes purposely attempting to tamper with encrypted messages between the exit node and the open Internet. Developer Tal Ater has recently demonstrated that a microphone permission policy in Google Chrome can allow any site enabled for voice recognition to transcribe everything in range of the device without the user knowing. Separate research has revealed that privacy tools are used by 28 percent of the online world, or an estimated 415 million users. The GlobalWebIndex (GWI) study also found that 56% of those surveyed said they believe the Internet is eroding their personal privacy. The GWI study notes 11% of all users say they use the Tor network. [Ars Technica] and [SpyEye Developer Pleads Guilty]


US – PCLOB: NSA Phone Program Is Illegal

The Privacy and Civil Liberties Oversight Board (PCLOB) released its report on the NSA program that collects en masse phone metadata, noting it provides minimal benefits to thwarting terrorism, is illegal and should come to a halt, Reuters reports. The PCLOB report goes further in criticizing the programs than did President Barack Obama and his ad hoc review panel. “The Section 215 bulk telephone records program lacks a viable legal foundation under Section 215,” the PCLOB report states, adding it “raises serious threats to privacy and civil liberties as a policy matter and has shown only limited value.” Two of the board’s members—Rachel Brand and Elisebeth Collins Cook—voted against the recommendation to end the bulk collection. The PCLOB is also working on a separate report on the NSA’s Internet surveillance. The Guardian has compiled quotes from groups and lawmakers calling for the end of bulk phone records collection. [Reuters]

US – Constitutionality of NSA Surveillance Challenged in Court

A suspect facing terrorism charges has become the first criminal defendant to challenge the constitutionality of the NSA’s bulk surveillance program. A motion was filed in a federal court to suppress any evidence against the defendant gathered from the warrantless government surveillance under the FISA Amendments Act. The defendant “believes that the government’s surveillance of him was unlawful for the simple fact that it was carried out … under a statute that fails to comply with the Fourth Amendment’s most basic requirements,” according to the motion. In a separate case, for the first time in FISA’s 36-year history, a federal judge has allowed a defense lawyer to review classified evidence gathered under the law. [The Washington Post]

US – How Obama’s NSA Plans May Affect EU Law

President Barack Obama’s plans for surveillance reform, as revealed in his recent speech, “have had a lukewarm reception by European politicians,” writes Field Fisher Waterhouse Partner Eduardo Ustaran. “Such reforms are a work in progress that will extend over months and years, but Obama’s stance is bound to have a very direct effect on existing and forthcoming EU data protection requirements,” he adds. In this installment of Privacy Perspectives, Ustaran lays out his predictions “about the practical impact of the proposed plans in Europe.” [Full Story]

WW – Google Downplays Eavesdropping in Chrome Speech Recognition Feature

Google is downplaying reports that the speech recognition feature in its Chrome browser could be used to eavesdrop on users. A web developer created an exploit that could be used to let a website continue to listen on users’ microphones even after the users believe they have left the site in question. Websites could be less than forthcoming about their actions, and could conceivably open a second window underneath the original site thus allowing the microphone access to remain on even after users believe they’ve left the site. Google says the issue is not a threat because the way the feature is designed, users must enable speech recognition for each site that requests it. When the speech recognition feature is being used, Chrome places a blinking red light in the browser tab and a camera icon in the address bar. [ComputerWorld] [TheRegister] [ArsTechnica] [NBCNews] []

WW – Bulk of China’s Internet Traffic Redirected to US-Based Addresses

Earlier this week, many Chinese websites were redirecting users to a blank page run by a company in the US. Chinese Internet users found they were unable to access websites hosted either in China or overseas that were part of top level domains like .com, .net, and .org. Sites with the .cn domain were unaffected by the incident. The situation did not last long – several hours – but its effect was felt for quite some time after the problem was resolved because users were still accessing cached versions of pages. While Chinese authorities said the incident was the result of an attack, a more likely scenario is a glitch in the way the country’s censorship system was being managed. The company that operates the page to which surfers were redirected runs services designed to circumvent China’s stringent Internet censorship program. [ZDNet] [ArsTechnica] [NextGov] [ComputerWorld] [NY Times]

US – Gov’t to Fund Devices to Track Children With Autism

Sen. Charles Schumer (D-NY) said the federal government will fund voluntary-use GPS tracking devices for children with autism or other disorders that put them at risk when away from their caregivers. The federal government, led by the Justice Department, has already funded a similar program for individuals with Alzheimer’s disease. The new program stems from a recent case where a 14-year-old with autism died after disappearing from his school. The case is still under investigation. Schumer said the program would be voluntary and work in conjunction with local law enforcement. The devices cost approximately $85, plus monthly fees. [Associated Press] See also: [Surveillance of B.C. seniors raising privacy concerns]

Telecom / TV

US – Viacom Hit with Privacy Lawsuit; Group Files Complaint with FTC

Google and Viacom are asking a federal judge to dismiss a potential class-action lawsuit that argues the companies are violating privacy laws at, and NeoPets. The lawsuit alleges the companies place cookies on websites visited by children under the age of 13. The plaintiffs allege the companies have violated federal wiretap law, the Video Privacy Protection Act and several New Jersey and California state laws. In a separate case, Consumer Watchdog has filed a complaint with the FTC alleging a planned contact list merger between Google+ and Gmail violates a privacy settlement reached between the federal regulator and Google. [MediaPost News]

US Government Programs

US – PCLOB: Data Surveillance Violates Law; NSA is Wrong Agency for the Job

A new report from the Privacy and Civil Liberties Oversight Board (PCLOB) says “the bulk collection of billions of American phone records violates the letter and the spirit of the law.” Excerpts from the report, which is scheduled to be read at an open board meeting , say the mass collection has “no connection to a specific FBI investigation when it’s being gathered” and the amount of it being “vacuumed up” can’t be considered “relevant.” It also says that under the law, the FBI—not the NSA—should be doing the collecting. Two PCLOB members, however, wrote dissents on that opinion. “The board will vote Thursday on whether to call for an outright end to the phone metadata program and call for more transparency from the government and the secret court,” the report states. [NPR]

US – NSA Announces First-Ever Chief Privacy Officer

The Washington Post reports on the National Security Agency’s announcement that it has named IAPP member Rebecca Richards, CIPP/US, CIPP/G, its first-ever privacy officer. Former Department of Homeland Security (DHS) official Paul Rosenzweig told the Post that Richards, leaving DHS for the new job, has her work cut out for her and civil libertarians are skeptical. However, former DHS CPO Mary Ellen Callahan, said, “She is one of the best privacy officials I have worked with in over a decade and a half of privacy counseling. She works meticulously with the program managers and creators of new programs, and demonstrates an ardent level of diligence and devotion to privacy.” Meanwhile, a report for Federal News Radio says agencies are now treating privacy the way they treated cybersecurity five years ago, as a “classic risk-management issue.” But privacy is “hard to define because it means different things to everyone,” making the role of CPO somewhat less defined than a CSO. [Washington Post]

WW – How App Developers Leave the Door Open to NSA Surveillance

News that the National Security Agency has for years harvested personal data “leaked” from mobile apps such as Angry Birds triggered a fresh wave of chatter about the extent of the NSA’s reach. However the NSA and its U.K. equivalent, GCHQ, hardly had to break much technical ground to hoover up that data. Few mobile apps implement encryption technology to protect the data they send over the Internet, so the agencies could trivially collect and decode that data using their existing access to Internet networks. Documents seen and published by the New York Times and Guardian newspapers show that the NSA and GCHQ can harvest information such as a person’s age, location, and sexual orientation from the data sent over the Internet by apps. Such personal details are contained in the data that apps send back to the companies that maintain and support them. This includes data sent to companies that serve and target ads in mobile apps. “This is evidence of negligent levels of insecurity by app companies, says Peter Eckersly, technology projects director for the Electronic Frontier Foundation. A 2012 study of 13,500 Android apps by researchers in Germany found that only 0.8 percent used encrypted connections exclusively, and that 43% use no encryption at all. Last week mobile app security company MetaIntell reported that 92% of the 500 most popular Android applications communicated some data insecurely. The documents published single out Google Maps as leaking particularly useful data for surveillance purposes. Documents from both the NSA and GCHQ note how search queries intercepted from this app can reveal a person’s movements. A 2008 document from GCHQ states that a system set up to intercept that data “effectively means that anyone using Google Maps on a smartphone is working in support of a G.C.H.Q. system.” [MIT Technology Review] and [Time for a ‘wake-up call’ on smartphone spying: Cavoukian]

US Legislation

US – Criminal Liability in Breach Legislation Could Be a Recipe for Disaster

With recent high-level data breaches, and the introduction by Sen. Patrick Leahy (D-VT) of the Personal Data Privacy and Security Act of 2014, some are hopeful a federal breach notification statute is on the horizon. There is one issue, however, raised by Leahy’s bill that “deserves considerable debate,” writes Andrew Proia, of Indiana University’s Center for Applied Cybersecurity Research and Maurer School of Law. “In addition to creating the federal breach notification law, Section 102 of Leahy’s bill would open the door to criminal liability for anyone who ‘intentionally and willfully’ conceals the fact of a security breach,” he writes, adding, “it would be wise for the information privacy and security community to think critically about whether the bill’s criminal statute would be a prudent addition.” [Privacy Perspectives]

US – Sens. Introduce Anti-Fraud Legislation

Sens. Tom Carper (D-DE) and Roy Blunt (R-MO) have reintroduced legislation that would require certain entities to “better safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud,” now called the Data Security Act of 2014. The requirements would supersede current state breach laws and apply to “businesses that take credit or debit card information; data brokers that compile private information, and government agencies holding nonpublic personal information.” [Government Security News]

US – CA Senate Approves Bill Defining Collection and Use; AG Files Suit Over Kaiser Breach

California’s Senate approved a measure Thursday aimed at protecting consumers’ information from being misused, Los Angeles Times reports. The bill, introduced by Sen. Hannah-Beth Jackson (D-Santa Barbara), would limit online merchants’ collection of data to only that which is necessary and would prohibit the merchants from selling the data or using it for marketing purposes. Meanwhile, a recent breach at Snapchat narrowly avoided repercussions under California’s updated data breach law, which took effect January 1, and the state’s attorney general recently filed a suit against Kaiser Foundation Health Plan for a 2011 breach. [Los Angeles Times]

US – Montana Allows Review of Post-Suicide Medical Records

In response to the high number of suicides in the state, Montana legislators have passed a measure to allow a team to review the medical records of all suicide victims as of January 1 of this year. While HB 583 easily passed the House, Rep. Kirk Wagoner (R-Montana City) has concerns about the opt-out nature of the law. The team doesn’t have to ask permission to delve into the medical history of the victims but instead will take into consideration family objections. The Montana Suicide Review Team will look for patterns and make recommendations to lower suicide rates, and Montana’s Suicide Prevention Coordinator Karl Rosston says “None of this stuff is going to be isolating or be able to identify a specific case. This will be a comprehensive of all the suicides and patterns of behaviors. We’re not going to take one isolated incident and say ‘this is what happens’.” [KRTV]

US – South Dakota House Considering Student Privacy Bill

South Dakota’s House Education Committee will revisit SB 63 this week to protect the privacy of students who take educational assessments. South Dakota Secretary of Education Melody Schopp wrote a letter to U.S. Education Secretary Arne Duncan explaining the state cannot and does not link identifiable information to test scores. “We are prohibited to share any personally identifiable information with the federal government,” Schopp said, adding that the education department is in favor of the privacy policy. [South Dakota Public Broadcasting]

US – CA Senate Passes Bill to Protect, Limit Online Data Collection, Retention

The California Senate has passed SB 383, which would limit online retailers “in the amount and type of personal information they could collect” from consumers related to content they purchase and download online. It would also require them to dispose of the data once they don’t need it. Sen. Hanna-Beth Jackson (D-Santa Barbara), the bill’s author, says it would protect consumers from fraud, but online retailers say they need to retain the data in order to spot irregular transactions and allow consumers the convenience of sharing downloaded data between devices, among other reasons. [The Associated Press]

US – Nebraska Citizens Voice Privacy Concerns Over Wages Bill

The McCook Area Chamber of Commerce has voiced concerns over a bill recently introduced by Sen. Tanya Cook (I-District 13) that would see Nebraska companies with more than 50 employees posting the salaries of all their employees annually. Listings would be made without the identities of the individuals but would list salaries, job title, gender, age and years of service. [The McCook Daily Gazette]

US – Judge: CA’s Two-Party Consent Doesn’t Apply to Out-of-Staters

U.S. District Court Judge Josephine Staton has dismissed Annette Jonczyk v. First National Capital Corporation et al, stating that because Jonczyk is not a California resident, the state’s two-party consent statute, requiring both parties to consent to recording a phone call, does not apply to her. At the crux of the case is that First National is a California company and recorded a call, without consent, to Jonczyk, a Missouri resident, and Missouri is a one-party consent state. Staton noted that the California legislature’s intent is to “protect the right of privacy of the people of this state.” “Applying California law to this case would not further that goal. On the other hand, Missouri specifically limited their privacy protection statute to allow a single party to consent to a recording.” [Scott Koller of Information Law Group]

US – Maine Committee Quashes Social Media Bill, Opts for Study

The Maine legislature will form a study commission to determine the need for a law barring schools and employers from requiring access to social media and personal e-mail accounts. After three committee meetings, a bill that would have banned this practice was voted down in favor of the study commission. While lawmakers generally agreed on the intrusiveness of requiring online account passwords, the report states “several wrestled with passing a bill that business leaders opposed because it could limit screening of job applicants, investigation of harassment disputes or protection of proprietary information.” [Portland Press Herald]

US – West Virginia House Passes Social Media Bill

The West Virginia House has passed legislation that would prohibit employers from requiring access to online accounts of employees or prospective employees. Del. Stephen Skinner (D-Jefferson) sponsored the bipartisan bill, which he based on similar legislation passed in Maryland. The bill now heads to the Senate. [The Journal]

US – Indiana House to See Bill Restricting Police Surveillance Techniques

The House Committee on Courts and Criminal Procedure voted 6-1 to advance a bill that would limit law enforcement use of drones, GPS tracking and cellphone searches. The bill would require police to obtain a warrant prior to using any of these surveillance methods in most circumstances. Some questioned the need to include GPS tracking in the bill, as police are currently limited to using the technology in investigations and emergency situations, but one representative noted that putting the limits into law may save court battles over evidence in the future. [Associated Press]

US – Missouri Considers Constitutional Protection for Electronics

Sen. Rob Schaaf (R-St. Joseph) has proposed a bill to amend the Missouri Constitution to include “electronic communications and data” in the items protected against illegal search and seizure. During a hearing last week, no one testified against the measure. The report states that if approved by the legislature, the measure goes on the state ballot in November. [The Associated Press]

US – California Assembly Passes Drone Bill, Including Data Retention, Use Provisions

The California Assembly passed a bill that would set strict limits on police use of drones and the data obtained from them. AB 1327 requires police to get a warrant prior to using drones for surveillance, except in emergencies, but it also requires them to notify the public when it plans to use drones and to delete all data collected by drones within six months unless the data collection was authorized by a warrant or is evidence. Other public agencies can also use drones but would have to obtain a warrant in order to share that data with the authorities. The Assembly passed the bill with a 59-5 vote, and it now heads to the Senate. [The Washington Post]

US – Georgia General Assembly Considers Two Drone Bills

Rep. Harry Geisinger (R-Roswell) has sponsored HB 846, which “would establish specific situations in which it would be legal for drones to capture images and would make it a misdemeanor for anyone to use a drone to capture an image for surveillance.” And Rep. Stephen Allison (R-Blairsville) proposed HB 848, which “would prohibit manned or unmanned aircraft from flying within 100 feet above the surface of a property for surveillance without a search warrant or permission of the property owner.” Hearings are yet to be set on either bill. [The Associated Press]

US – Iowa Considering Drone Privacy Bill

Iowa’s House Public Safety Committee discussed a bill that would prohibit law enforcement from using drone surveillance except in certain emergency situations. The committee plans to make changes to the bill before approving it and will meet again to continue the discussion. [The Associated Press]

US – Minnesota Bill Would Regulate Police Drone Use

Legislation has been proposed in Minnesota to regulate police use of drones. While Minnesota authorities don’t yet use drones, this bill would require a warrant for drone surveillance except in situations of “imminent” danger. [The Associated Press]

US – New Hampshire Bill Would Restrict Police, Public Use of Drones

New Hampshire Rep. Neal Kurk (R-Weare) has proposed HB 1620 to restrict the use of drones by law enforcement and private individuals. This is the second time in two years he has tried to legislate the use of drones in the state. This bill is causing some controversy because it forbids intentional surveillance even in public places, which may infringe on first amendment rights, according to the director of the NH Civil Liberties Union, which, based on those grounds, does not support the bill. [The Union Leader]

US – Utah Sen. Introduces Drone Privacy Bill

Utah State Sen. Howard Stephenson (R-Draper) has introduced SB 167, which would prohibit state agencies from using drones without a warrant except in emergency situations or with written consent. The bill also puts limits on the retention of data obtained by drones. [Deseret News]

US – NJ Governor “Pocket Vetoes” Drone Privacy Bill

Among the 44 bills Gov. Chris Christie (R-NJ) allowed to expire was a drone privacy bill that would’ve required police to get a warrant before using drones for surveillance. The bill passed the New Jersey Assembly with a vote of 74-1. []

US – Wisconsin Assembly Passes Social Media Bill; Senate Passes Mental Health Bill

Senate Bill 223, making it illegal for employers, universities and landlords to require social media login information from workers, students, tenants or applicants, has passed the Wisconsin Assembly, reports WEAU. If the bill passes into law, violators could see fines of up to $1,000. One employment law expert says that if misconduct on social media is suspected, employers can ask for access to the site but not for login credentials. The bill now heads to the Senate for approval. The Wisconsin Senate, meanwhile, has passed the Mental Health Care Coordination Bill, updating Wisconsin law to be more consistent with HIPAA. Currently, state law requires a level of confidentiality for behavioral health treatment beyond that required in HIPAA. The current requirements have been criticized for hampering appropriate treatment by restricting the sharing of patient data with other treatment providers. [The National Law Review]

Workplace Privacy

US – Study Says US Government Workers Do Not Practice Good Mobile Device Security

According to a study from the Mobile Work Exchange, many US federal government employees are not taking appropriate measures to secure their mobile devices, despite established security policies. The report, commissioned by Cisco Systems, focused on tablets, smartphones, and laptops. While physical security seems to be more entrenched – 86% of the workers lock their computers while away from their desks – more than 40% of the 155 government workers surveyed use their mobile devices in ways that put their agencies and the devices at risk for a breach. Issues include using public wireless networks, failure to employ multi-factor authentication or encryption, and 25% do not use passwords for their devices. Also, downloading personal apps and opening messages from senders they do not know. [DarkReading] [MobileWorkExchange] See also: [How To Change Employees’ Poor Password Habits] and [Blancco Backs 2014 Data Privacy Day on January 28 – Jan 28 2014 – Champion of data privacy’ takes leadership role in data erasure for mobile devices, an important focus for today’s security-challenging BYOD trend]





01-15 January 2014


UK – More Than One Million Students Fingerprinted

Big Brother Watch, a UK-based privacy advocacy group, estimates that 1.28 million students have been fingerprinted at their secondary schools, nearly one-third without parental consent. Based on a Freedom of Information request, data shows that four out of 10 schools employ biometric technology to identify students. Big Brother Watch has said the development is concerning because students will grow up thinking “it is normal to be tracked like this all the time.” Big Brother Watch Director Nick Pickles said, “Going to school should not mean kids are taught that they have no privacy, especially at a time when we are sharing more data about ourselves than ever before.” [The Independent] See also: [New facial recognition app ‘creepy’, says kids entertainer Raffi]

US – At CES, Company Announces New Open Standards

Hoyos Labs announced at the Consumer Electronics Show the formalization of its Biometric Open Standards Protocols. The document sets up rules for secure communications between devices and the server “managing the acquisition and manipulation of biometric data captured by those devices,” according to a press release. CEO Hector Hoyos said the company “created a rule-based system by building upon the U.S. Department of Defense’s core infrastructures” that “is available to any company that wants to implement it” upon request. The document addresses identity assertion, role gathering, access controls, auditing and assurance. [DarkReading] [Consumer Electronics Show will highlight new ways to collect biometric data]


CA – OPC: Google Health Ads Violated Privacy Law

After an investigation, the Office of the Privacy Commissioner (OPC) said that Google violated a Canadian citizen’s privacy rights when he was targeted with health-related advertisements . After a man searched the Internet for information on sleep apnea, he began receiving advertisements for devices related to the health disorder. In response to the OPC’s order, Google has said it will take steps to stop the privacy-intrusive advertisements. “We are pleased Google is acting to address this problem,” said Interim Privacy Commissioner Chantal Bernier in a press release, adding, “It is inappropriate for this type of information to be used in online behavioral advertising.” Bernier, whose office received support from the U.S. Federal Trade Commission, also said, “We will be contacting various advertising stakeholders in the near future to share these investigation results and remind them of their privacy obligations.” Online behavioural advertising guidelines issued by the Office of the Privacy Commissioner of Canada two years ago make clear that advertisers should avoid collecting sensitive personal information, such as individuals’ health information, for the purpose of delivering tailored ads. [OPC News Release] SEE ALSO: [Canada:  Conservatives deny request to view full guest list for speech from the throne] and [Spy agency admits it spies on Canadians ‘incidentally’]

CA – Sudden Resignation from Sask. Privacy Commissioner

Saskatchewan’s information and privacy commissioner Gary Dickson has resigned, citing personal reasons. Dickson said in a news release he would step down at the end of the month. First appointed to the position in 2003, Dickson was reappointed to another five-year term in April, 2009. During his time in the post, Dickson has been a strong advocate for more rigorous protection of personal medical data, and critical of lapses in the public sector. He has also said the government needs to extend its privacy legislation to cover that sector. Dickson said his resignation was “solely for personal reasons.” He did not provide any details. [Source]


US – Facebook Users File Suit Over Data-Mining

Two Facebook users are suing the social network for allegedly intercepting the “content of the users’ communications” to “mine user data and profit from those data by sharing them with third parties—namely, advertisers, marketers and other data aggregators.” In their December 30 class-action, the plaintiffs allege “Facebook’s use of the word ‘private’ in relation to its messaging system is misleading, given the way the company treats the info contained within those messages,” the report states. Facebook has denied the allegations , calling them “without merit.” The class-action is seeking $100 for each day of violation or $10,000 per class member and “statutory damages of either $5,000 per class member or three times the amount of actual damages, whichever is greater,” the report states. [Ars Technica] See also: [IRE:  The privacy of a billion people on the Internet is controlled by one Irishman]

US – Consumers Trusting Fewer and Fewer With Their Data

“People are becoming more aware of the data being collected about them online. And that’s eroding the trust they have with collecting companies.” The statement is based on research by McCann Truth Central shared at the Consumer Electronics Show (CES). The McCann Truth Central survey examines which companies consumers see as “the greatest threat to the future of privacy” while also highlighting which they trust with their data. The Ad Age report also highlights comments by FTC Commissioner Julie Brill at CES that “we need legislation around privacy … We actually need specific data-broker legislation.” Meanwhile, amidst privacy concerns, anonymous search engine DuckDuckGo has announced 2013 saw more than one billion searches made—its biggest year to date. [Ad Age]

US – Ford CEO Calls for Driver Privacy Provisions

Ford Motor Company CEO Alan Mulally says drivers’ privacy must be protected by law as vehicles increasingly use data for location tracking. The company is “supportive and participating” in talks with regulators considering such legislation, the report states. “It’s just really important that we have boundaries and guidelines to operate,” Mulally said. Sen. Al Franken (D-MN) recently questioned Mulally on what kind of data the company collects via vehicles’ GPS systems and how driver consent is obtained. Franken’s questioning comes after a company executive said last week the company can infer a person’s driving habits via the navigation systems in Ford vehicles, as referenced in this recent Privacy Perspectives post. [Bloomberg] [Franken presses Ford on location data collection practices]


NZ – Agencies Too Slow In Destroying Shared Data

Kiwis’ private information is being mishandled by government agencies, which break their own rules when sharing people’s details. Reports from the Office of the Privacy Commissioner reveal agreements between Government agencies to share personal information have been “non-compliant” and have had “substantial issues”. Several agencies have been caught holding on to the information of hundreds of thousands of people after they had previously agreed to destroy it. In another report, the Ministry of Social Development was caught tracking people using their tax numbers, which is illegal under the Privacy Act. Privacy Commissioner Marie Shroff said the breaches were disturbing. “This is a highly complex environment with huge amounts of citizens’ data, and you do need a watchdog carefully checking what is going on to keep them honest.” [Source] [CA – Government departments consider banning portable data devices in wake of security breaches in 2013] and [New Ideas for Mitigating Insider Threat: Presidential Panel Suggests Series of Steps, Government Information Security]



CA – CASL: What You Need to Know and When

Shaun Brown of nNovation offers a detailed breakdown of the newly published regulations under Canada’s Anti-Spam Legislation (CASL). Implementation of CASL will come in three waves, the first of which, rules that apply to computer programs, is already in force. While many of the regulations mirror those pre-published in the draft released at this time last year, there are some changes, including new exceptions for closed platforms, limited-access accounts where organizations communicate directly with recipients, messages targeted at foreign persons and fundraising by charities and political parties. [IAPP Privacy Tracker]


Electronic Records

US – Experts Say Still Has Numerous Security Issues

Experts testifying before congress said that the government’s healthcare exchange website still contains many security problems. One of the security issues identified last year has been partially addressed, but the other 17 remain, and 20 new issues have been detected. According to a statement from the Centers for Medicare and Medicaid Services (CMS), “There have been no successful security attacks on and … [no one] has maliciously accessed personally identifiable information from the site.” [CNET] [Ars Technica] [NBC News] [TrustedSec] See also: [Centers for Medicare and Medicaid Services Official Says Site is Now Secure] and [ghg and OptimizeRx join forces on electronic health records]

UK – Patients Asked To Opt Out Or Be Included In Database

NHS England has begun sending leaflets out to every household in England to inform residents that information from their patient records will be used in a national database unless they actively opt out. The ambitious programme aims to join up anonymised patient data from a number of care settings into one data collection kept by the Health and Social Care Information Centre. This will be available to clinicians and researchers. The leaflet, entitled “Better information means better care”, is part of a £2m publicity campaign launched in the wake of concern being raised by GPs and privacy campaigners that patients were not being well enough informed about the new database. [Source]



US – Yahoo Implements Default Encryption

Yahoo has begun automatically encrypting Yahoo Mail users’ connections. Automatic HTTPS is now the default. The move is in response to concerns about government surveillance. Google recently made a similar change, and Microsoft and Facebook have announced stronger encryption keys will be coming in the future. Meanwhile, following allegations that a major security firm accepted $10 million from the NSA to implement an “intentional cryptographic flaw” in one of its encryption tools, several high-profile security experts have begun canceling their appearance at the firm’s annual conference [CNET]. [Yahoo users exposed to malware attack]

WW – Quantum Computer Could Crack Most Encryption

The U.S. NSA is allegedly building “a cryptologically useful computer” that could break virtually all encryption on the Internet, including banking, medical, business and government records. Documents provided by former contractor Edward Snowden reveal the plans are part of a $79.7 million research program going by the name “Penetrating Hard Targets.” Unlike classical computers, which run on binary bits—ones or zeroes—quantum computers seek to use bits that are simultaneously ones and zeroes, making it exponentially quicker and more efficient. Some experts, however, are skeptical that such a full-scale system would be ready in the near term. [The Washington Post]


EU Developments

EU – No Successor Yet for EDPS Hustinx

In his last speech of his mandate as European Data Protection Supervisor (EDPS), Peter Hustinx urged Germany to take the lead in reform of the EU data protection framework. And now, after 10 years of service, Hustinx is retiring from “what is in essence the EU’s top data protection authority.” But the future leadership of the office is in question. Earlier this month, news came out that a “selection board” found that none of the successor candidates were “sufficiently qualified” for the position, thereby delaying the selection, possibly by months. “After working in Brussels for the last 15 years,” writes Wilson, Sonsini, Goodrich & Rosati Senior of Counsel Christopher Kuner, “I have become accustomed to the byzantine machinations of European politics.” [IAPP]

EU – Is the EU’s “Anti-FISA” Clause Practical?

The Snowden revelations have helped reintroduce into the EU’s proposed General Data Protection Regulation a provision that would limit and control personal data transfers to third countries. Often referred to as the “anti-FISA” clause, the provision gives rise to a number of concerns regarding practicality and legality, writes Danish Ministry of Finance Senior Policy Advisor Christian Wiese Svanberg, who notes, “the issues raised by the proposal are numerous,” adding, “does the word ‘judgment’ also cover court orders, subpoenas, letters of request … And what constitutes an ‘international agreement’ for the purposes of the provision?” [Full Story] See also: [US: Spy court judge slams proposed privacy advocate]

EU – LIBE Publishes NIS Directive Draft Amendments

The Committee on Civil Liberties, Justice and Home Affairs (LIBE) has published “a list of draft amendments MEPs in the group would like to see made to the European Commission’s proposed Network and Information Security (NIS) Directive.” The proposed NIS Directive, first published last year, “aims to ensure that banks, energy companies and other businesses involved in the operation of critical infrastructure maintain sufficiently secure systems,” the report states. MEP Marie-Christine Vergiat has suggested the standard of protection should differ by organisation, while other proposals include recommending the NIS Directive’s implementation be postponed until after the introduction of EU data protection reforms. [Full Story]

EU – Shutting Down EU Is Not the Way to Defend Privacy

In reaction to the release of the European Parliament’s LIBE Committee draft report on U.S. National Security Agency (NSA) mass surveillance, Field Fisher Waterhouse Partner Eduardo Ustaran writes, “Shutting down pretty much all transatlantic data flows in order to prevent unreasonable access to data by the U.S. intelligence services would not only be disproportionate, but it would be hugely damaging to the information society we all rely on.” Ustaran looks at several specific provisions of the draft report, noting that though it’s extreme, there is no need to panic. Meanwhile, TechCrunch reports that the LIBE Committee has invited former NSA contractor Edward Snowden to testify on U.S. surveillance. []

EU – Court of Human Rights Supports Finnish Court Decision

A European Court of Human Rights ruling supports an earlier Finnish court decision to fine author Susan Ruusunen for writing “a tell-all book” in 2007 about then-Prime Minister Matti Vanhanen. “The judgment is the latest example of the Strasbourg-based court having to toe the line between upholding the European Convention on Human Rights articles of freedom of expression and the privacy rights of people, even those in the spotlight,” the report states. Finland’s Supreme Court found against Ruusunen and her publisher back in 2010. [The Wall Street Journal]


Facts & Stats

WW – Snapchat Assures Users Spam Is Unrelated to Breach

Following reports from some Snapchat users that they’ve received an excessive amount of spam, the company has apologized but assured users the messages are unrelated to a recent breach that exposed millions of usernames and phone numbers. “While we expect to minimize spam, it is the consequence of a quickly growing service,” Snapchat said in a blog post. [Los Angeles Times]



US – E-Receipts Come With Privacy Concerns

Stores are increasingly offering to send customers email receipts, which are convenient and save paper. But if you choose an e-receipt, experts warn that convenience comes with a price: your privacy. “Once you’ve given up your email address, that retailer can use it for any purpose,” said consumer advocate Richard Holober. Holober said that includes sending you more emails, using it for targeted marketing and even selling your information to a third party. “The question that the consumer should be asking the retailer is, ‘What are you doing with my information?’” she said. “Sometimes, if it’s online with the terms and conditions, you’ll clearly see that whoever you’re signing up with is clearly saying that they are going to be giving that information to third parties. [New York News]

US – Regulators Have Concerns About Lenders’ Use of Facebook, Other Sites

More lending companies are mining Facebook, Twitter and other social-media data to help determine a borrower’s creditworthiness or identity, a trend that is raising concerns among consumer groups and regulators. Lending companies—some of which are backed with venture funding from Google Ventures, the venture-capital arm of Google Inc., and Accel Partners, an early Facebook Inc. investor—are looking at potential problems such as whether applicants put the same job information on their loan application as they posted on LinkedIn, or if they shared on Facebook that they had been let go by an employer. A small business that draws negative reviews on eBay also could undermine its chances of getting more credit, lending companies say. Consumer advocates say the trend increases the chance borrowers, including small businesses, will be unfairly denied credit or saddled with higher interest rates based purely on their social-media presence. They say federal laws haven’t kept up with the trend, leaving borrowers exposed. “The data we have on customers via social networks says more about them than their FICO,” Mr. Sion said, referring to the three-digit credit score widely used to estimate risk. “You can make credit decisions based not on a faceless score, but on who you know.” Companies are tapping into other sources of data, including PayPal and eBay accounts, to determine not just whether a borrower should get a loan but whether their credit line should be increased. [The Wall Street Journal]

CA – Bitcoin ATM Arrives in Toronto

Toronto has its first Bitcoin machine, located at King Street West and Spadina Avenue. Bitcoin, which allows people to convert their money to digital coins or bitcoins, is the first decentralized digital currency.

The only other Canadian Bitcoin ATM is located in Vancouver and it has seen massive success since it was unveiled in late-October of 2013.While some view it as a passing fad and have questioned its validity, others see it as the replacement for the current monetary system. The volatility of the emerging digital currency has been a focus of attention for market regulators, with its stock price rising from 30 cents in 2012 to a peak of about $1,200 in 2013. Today it is closer to $900. In 2013, a U.S. judge ruled that Bitcoin is a real currency. [Source] See also: [Canada Revenue Agency reviewing issue of taxpayers wrongfully declared dead]



IN — E-records to Have Longer Archival Life

Computerized records of birth and death certificates, land, passport, Aadhaar and ration cards among others should now have a longer archival life. The city-based Centre for Development of Advanced Computing (C-DAC) has developed a national digital repository that will preserve all important government documents in the electronic format. Termed the ‘trusted digital repository’, the system is capable of saving electronic data generated by all state governments for a longer period of time. [Source]



WW – Google Acquires Nest for $3.2 Billion

Google announced it will acquire Nest Labs—maker of smart home thermostats and smoke alarms—for $3.2 billion. Nest CEO Tony Fadell said, “We’re thrilled to join Google. With their support, Nest will be even better placed to build simple, thoughtful devices that make life easier at home and that have a positive impact on the world.” According to The New York Times, Nest’s products use software, hardware, sensors and algorithms to learn the behavior of home dwellers in order to program a home’s system and allow users to remotely access and control it. Fadell said Google has agreed that Nest’s privacy policy will remain unchanged. “That was a major concern or question we had,” he said, “and they have done an amazing job convincing us that our privacy policies are going to be well-respected in their organization.” [Google Investor Relations blog]

US – Google Privacy Lawsuit Revised, Says Execs Made “Conscious Decision”

Privacy lawsuit against Google revised. The suit alleges the company comingled data across its services and products—in a Google project called Emerald Sea. U.S. Magistrate Judge Paul Grewal ruled in December that the plaintiffs failed to demonstrate harm caused by Google’s actions, and for the case to proceed, the plaintiffs must show how the comingling of data deprived them of the “economic value” of their data, the report states. The revised complaint alleges Google executives in 2010 “made a conscious decision to withhold from the public information pertaining to the Emerald Sea plan, including Google’s intention to violate all existing privacy policies that placed any limitations on Google’s ability to combine information across platforms by doing precisely that once Emerald Sea became a reality.” [Bloomberg]

US – Court of Appeals Denies Google’s Wiretap Act Argument

The U.S. Court of Appeals for the Ninth Circuit has ruled against an appeal by Google, holding that payload data transmitted over a WiFi network is not considered “radio communications” as defined under the federal Wiretap Act. In the case, Google defended its collection of data transmitted over open WiFi networks during its Street View mapping project, saying the data it collected was unencrypted and available to the general public. [Business Standard]

WW – Privacy Advocates Concerned About New Google Feature

In its Official Gmail Blog, Google updates users on a new feature that allows those using Gmail and Google+ where “Gmail will suggest your Google+ connections as recipients when you are composing a new e-mail.” The blog notes “your e-mail address is only shared with the people you want … You control whether people can reach you this way with a new setting in Gmail.” However, Los Angeles Times reports , privacy advocates believe the feature should have been opt-in. The Electronic Privacy Information Center’s Marc Rotenberg alleges the new feature is “eerily similar” to Google Buzz, which resulted in a settlement with the FTC. [Source]

WW – Google’s Public Policy Vet Moves to LinkedIn

LinkedIn has hired Google veteran Pablo Chavez as its vice president of public policy, Silicon Valley Business Journal reports. Chavez has worked at Google since 2006 and was responsible for engineering the company’s political strategy, the report states. Chavez’s LinkedIn profile notes his political advocacy efforts for Google on issues including privacy, security and online free expression. [Syrian Electronic Army hacks into Xbox Twitter accounts too]

EU – CNIL Issues Its Largest-Ever Fine to Google

French privacy regulator the CNIL has fined Google $204,000 for breaking the law with its unified privacy policy—its biggest fine to date. The CNIL said the company implemented its shift to one privacy policy across all its services without properly informing users of the ways in which their data would be combined and for what purposes. That’s similar to The Netherlands’ data protection authority assertion in November, while Spain’s data protection authority fined the company $1.2 million last month. The fines are the latest in European displays of dissatisfaction with online tracking, which may impact EU-U.S. business relations, The Wall Street Journal reports. [GigaOm] [Google appeals French fine as data privacy row continues]

WW – Google Announces Alliance to Support Android-Connected Cars

Google has created an alliance of car manufacturers that are working to make their products Android-connected. The initiative is known as the Open Automotive Alliance (OAA). It is “committed to bringing the Android platform to cars starting in 2014 … in a safe and seamless way.” Google is developing an Android platform “that will enable the car itself to become a connected Android device.” Questions about the alliance’s plans for addressing security issues were not answered directly. Charlie Miller, a Twitter security engineer who has given presentations about cars’ vulnerability to hacking said he believes “these automotive efforts need to have security experts brought in from the beginning.” [SC Magazine] See also: [US:  Feds May Require Cars to Talk to Each Other to Avoid Crashes]


Health / Medical

US – House Passes Security Bill

The US House of Representatives has passed a bill that would impose strict new security requirements on the website. The legislation would require the Department of Health and Human Services (HHS) to notify people within two days if their personal information is compromised. HHS officials say that the website meets the government’s information security standards and that no personal information has been compromised. The bill is unlikely to pass in the Senate. [NextGov] [Political Ticker]

US – FDA Seeks Electronic Records for Drug Safety Data

As part of the FDA’s ongoing efforts to evaluate the safety of drugs and biological products, the agency quietly began a search for access to electronic health records (EHRs) in December. The agency plans to use the information gleaned from EHR data to augment its MedWatch reporting system and other actions taken by the FDA’s Office of Surveillance and Epidemiology. In a notice posted to Federal Business Opportunities, a website used by government agencies looking to contract outside vendors, the FDA wrote that it is seeking direct and continued access to EHR data. The FDA emphasized that the identities of all patients would be obscured. The data provided by the contractor will allow reviewers to “evaluate drug-related safety issues of high regulatory priority in a timely manner” and assess several risk factors. In the notice, the FDA said it sees benefit from access to longitudinal information regarding the patient population. The agency is looking for real-time access to a database that includes demographic and diagnostic information; laboratory test orders and results; drug and biological agent use; the National Death Index; and health history, including visits to hospitals and specialists. On Jan. 8, the response date for the EHR notice had passed, and three contractors had posted to the website expressing their interest. In a separate notice, the FDA also sought database access to demographic information regarding over-the-counter drug purchases. [Source]

US – Survey: Privacy Officers Need More Staff, Anticipate Greater Enforcement

A recent survey indicates healthcare privacy, information security and compliance officers most desire increased budget, compliance software, more staff, training and audit help. In the ID Experts survey, respondents said an increased budget would help with investing in audit software and increasing training and proper staffing in an effort to meet regulations, among other needs. Asked to make predictions for 2014, respondents expected increased enforcement on privacy and security by the government and intensified auditing. [HealthITSecurity]

WW – Social Media Posts Risk Patient, Public Mistrust

Increasingly common violations of patients’ privacy when medical practitioners take photos of patients on their personal devices and share them on social media. Approximately 30% of state medical boards have reported receiving complaints of “online violations of patient confidentiality,” according to a recent survey published in the Journal of the American Medical Association. The violations have the potential to “undermine a proper physician-patient relationship and the public trust,” says the Federation of State Medical Boards. [Full Story] [NZ -Privacy Questions Raised Over Medical Record Database]

US – IMS Health Goes Public; When Docs Google Patients

IMS Health plans to go public. According to the report, the company has assembled “85% of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records.” IMS Health then sells the data and reports to the top 100 global pharmaceutical and biotechnology companies, advertisers, consulting firms and other government and financial organizations. In a recent filing with the Securities and Exchange Commission, IMS Health said it processes data from 45 billion health records per year. Meanwhile, an All Voices article looks into the fine line between marketing and health privacy, and according to The California Report, health kiosks pose several privacy risks. In a column for The New York Times, one doctor opines on the pros and cons of “Googling” his patients. “I am tempted to prescribe that physicians should never look online for information about their patients…”

US – OCR to Get New Director

Personnel changes at the Office for Civil Rights (OCR) would have a “major impact on healthcare IT security in 2014.” President Barack Obama reportedly intends to nominate OCR Director Leon Rodriguez to fulfill a role in immigration services, leaving questions as to who would replace Rodriguez, especially during such a critical time as the OCR prepares for its 2014 HIPAA audits. In other healthcare-related headlines, a breach lasting four years was discovered at a Virginia health system during a random company audit in November, and patients affected by the data breach at Kaiser Foundation Hospital Orange County have filed a class-action lawsuit in California. patients, though I think the practice will become only more common,” he writes. [Forbes] [HealthITSecurity]


Horror Stories

US – Target Says Malware Found of Point-of-Sale Terminals

Target is now acknowledging that there was malware on its point-of-sale terminals. In addition, the breach, already one of the largest known breaches of payment card data to date, affected as many as 110 million Target customers, nearly three times the initial estimate. Target CEO Gregg Steinhafel says the company is planning “significant changes” in response to the breach, but did not elaborate. [SC Magazine] [CNET] [Krebs Security] [ComputerWorld] [Yahoo] [Target Data Breach Larger than Estimated, 70 Million More Affected]

US – Neiman Marcus Investigating Payment Card Data Breach

Neiman Marcus says that it was also targeted in a data breach over the past few months. The retailer says its database was infiltrated in December. As in the Target breach, the attack affects people who shopped in physical stores but not online shoppers. Neiman Marcus is working with the Secret Service to investigate the breach. [CNET] [Krebs on Security] [US – More retailers reportedly victims of holiday data breaches: At least three more US retailers suffered unpublicized attacks similar to the one on Target, Reuters reports]

US – Lawmakers Want Update from Target; Investigating Neiman Marcus Incident

Lawmakers are seeking answers from Target’s chief executive on the company’s response to its recent breach. Sens. John Rockefeller (D-WV) and Claire McCaskill (D-MO) have asked that the company’s information security officials brief committee staff on its latest internal findings. A Target spokeswoman said, “We have received the chairmen’s letter and are continuing to work with them and other elected officials to keep them informed and updated as our investigation continues.” The heads of the Senate Banking and Judiciary committees are also responding to the breach. Meanwhile, three states have begun investigating a breach at Neiman Marcus. [Source]

US – Data Protection & Breach Notification Legislation Reintroduced in Senate

US Senator Patrick Leahy (D-Vermont) has reintroduced legislation aimed at protecting people’s privacy. This time, the bill includes provisions calling for the establishment of a federal standard for data breach disclosure, and data protection standards for businesses retaining sensitive information. The bill would also impose criminal penalties for people convicted of attempted computer hacking and conspiracy to commit computer hacking. [LOHUD] [RT.COM]


Identity Issues

WW – FIDO’s 2014 Authentication Agenda

To help reduce reliance on passwords, the FIDO Alliance of 70 member companies is developing standard technical specifications for advanced authentication. Michael Barrett and Daniel Almenara of FIDO describe the impact the effort could have in 2014. “The thing to remember is that the whole FIDO methodology is rethinking how authentication is handled from the ground up,” says Barrett, president of the alliance. FIDO plans to publish in the first quarter of this year its first official draft of authentication specifications. The alliance hopes to eventually help launch a certification program to verify that hardware and software is “FIDO enabled” and uses the group’s specifications.The FIDO authentication model will support any device, including a wide variety of mobile hardware – as well as a wide variety of authentication methods. That’s because it’s common for end-users to use multiple devices to access systems. [Source] SEE ALSO: [Canada: Researchers develop ‘narrative authentication’ system]

MY – Malaysia to Introduce High-Tech ID Cards for Foreign Workers

In a bid to check the influx of illegal foreign workers, Malaysia will soon issue new biometric identity cards to nearly 2.3 million foreigners in the country. Malaysia relies heavily on foreign workers to support its tourism and infrastructure industry. There are 2.25 million documented foreign workers in the country right now. Labourers from countries like India, Indonesia, Bangladesh and Cambodia also works in its rubber and palm plantations. Officials said the new ID cards, embedded with high-tech chips, would ensure only legal foreign workers were in the country. The cards were originally planned to be introduced late last year. [] [Editorial:  We need a new jurisprudence of anonymity] See also: [IN — India: The Aadhaar trap: Why you should be really, really worried]


Internet / WWW

US – U.S. Commerce Secretary: New Rules Needed for Potential $19T Market?

At the Consumer Electronics Show in Las Vegas, privacy was a hot topic. Particularly, the Internet of Things is getting close attention, as wearables and micro computers are among the most common new products. Cisco Systems CEO John Chambers made headlines with his keynote, predicting the Internet of Things market could be as large as $19 trillion by 2020. This and other news led U.S. Commerce Secretary Penny Pritzger to say, “I think we need to … have a real look at the issue of privacy and where you draw the lines and what are the rules … I don’t think there is consistency or clarity right now … in terms of what companies are collecting and what they can do with that data.” [Full Story]

WW – IAPP and CSA Announce New Strategic Alliance

The IAPP announced that it has created a new strategic alliance with the Cloud Security Alliance, a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. The alliance’s most tangible result will be the joining of the IAPP Privacy Academy and CSA Congress into a single event to be held September 17 to 19 at the San Jose Convention Center in San Jose, CA. “Cloud security and privacy matters continue to twist and turn, especially given events of late, with the industry in constant pursuit for the best knowledge and practices to stay ahead of what’s next in securing all forms of computing,” said CSA CEO Jim Reavis. “Through this union, this event is now the center of gravity for information governance and management professionals to navigate the continually evolving challenges of the digital economy,” said IAPP President and CEO Trevor Hughes. [IAPP] See also: [NSA Snooping Triggers Foreign Business Flight From US Cloud Services]

WW – How Algorithms Can Probe and Influence Consumer Behavior

Pandora’s Internet radio service has begun mining user preferences to better determine the types of ads that will be most engaging. Pandora’s chief scientist said, “It’s becoming quite apparent to us that the world of playing the perfect music to people and the world of playing perfect advertising to them are strikingly similar.” According to the report, some businesses are attempting to differentiate themselves by creating algorithms that not only understand their consumers’ behavior but also try to influence their behavior. One computer science professor said, “I would guess, looking at music choices, you could probably predict with high accuracy a person’s worldview,” including “people’s stance on issues like gun control or the environment” or, in some cases, political party affiliation. [The New York Times]


Law Enforcement

US – Study Finds NSA Phone Metadata Collection Not Effective Against Terrorism

A study from the New America Foundation finds that the NSA’s bulk collection of phone metadata “has had no discernible impact on preventing acts of terrorism.” The NAF analyzed the cases of “225 individuals … charged in the United States with an act of terrorism since 9/11.” In the majority of instances, conventional investigative methods provided the impetus to open the case. The study found that just one case had been initiated due to information obtained through the wholesale data collection. [Washington Post] [Ars Technica] [Study] See also: [Hong Kong Bar Association opposes planned drug testing scheme]



CA – Making a Business on Phones’ Continuous Broadcasting

Turnstyle Solutions is a start-up in Toronto using small sensors placed throughout downtown to track the movements of individual consumers. The firm then sells that data, showing businesses where else their customers frequent, in the name of customizing offerings. One restaurant emblazoned its logo on tanktops when it became clear that customers also frequented a local gym. Turnstyle’s success, the report says, along with that of other startups like Euclid Analytics, “speaks to the growing value of location data … but Turnstyle is among the few that have begun using the technology more broadly to follow people where they live, work and shop.” [The Wall Street Journal]

US – YP Acquires Sense Networks

Search and advertising company YP has confirmed its acquisition of Sense Networks. YP’s David Lebow confirmed that “acquiring Sense’s technology, with its ability to create custom consumer profiles for use in mobile ad targeting, will give YP a real competitive advantage,” the report states. Lebow has suggested the deal is part of YP’s shift from more traditional publishing models to “placing a premium on technology.” [Tech Crunch]

WW – Tracking Device Lets Mom and Dad Track Junior

A new tracking device allows parents to track their children’s movements. FiLIP is a phone for children allowing parents to install a free app on their mobile devices to link to FiLIP to follow its location. It allows parents to set a “safe zone,” which sounds an alarm if a child wearing a FiLIP device travels beyond it. [The New York Times]



SG – Companies Can Send Certain Messages Without Checking DNC Registry

The Personal Data Protection Commission (PDPC) of Singapore has determined companies are allowed to “send marketing messages to customers that have registered to be listed on a new Do-Not-Call (DNC) Registry under certain circumstances.” While businesses are required to consult the DNC Registry before sending messages—and face fines in certain circumstances—”a new exemption allows businesses to send either text or fax messages to promote ‘related products and services’ to individuals they have an ‘ongoing relationship’ with,” the report states, noting in such instances, companies are not required to consult the registry first. “As the exemption order does not apply to voice calls, organizations are still required to check against the DNC Registry before making telemarketing calls,” the PDPC said. [Out-Law]


Online Privacy

WW – Privacy-Enhancing Phone, Dating App Unveiled

The creators of Silent Circle announced they will unveil a privacy-enhancing smartphone called Blackphone. The device, which will be available for preordering on February 24, uses a secure version of Android called PrivatOS and will have the capability to transmit secure phone calls, texts, file exchanges and storage, and video chat, and anonymizes use via a virtual private network. Creator Phil Zimmerman said the phone “provides users with everything they need to ensure privacy and control of their communications, along with all the other high-end smartphone features they have come to expect.” Meanwhile, the makers of SinglesAroundMe have announced a patent-pending technology that allows users to change their locations to preserve their privacy. The “Position-Shift” algorithm gives users control over their location and who knows it. Fujitsu Labratories have announced an encryption search that keeps data encrypted to maintain privacy, and Twitter has announced it is enforcing SSL encryption for apps connected to its API. [GigaOM] SEE ALSO: [Engineers and Lawyers in Privacy Protection: Can We All Just Get Along?]

WW – Twitter Scores Points for Privacy; Messaging Apps Compete

An Electronic Frontier Foundation (EFF) report on how companies respond to government data requests has given Twitter its highest rating for protecting privacy. The EFF examined companies on criteria including transparency, whether they require warrants and if they fight for users’ privacy in courts. Twitter and Internet access company alone “earned a ‘star’ for all six categories,” the report states. Meanwhile, in the wake of a recent breach, Snapchat has reportedly “at times, given law enforcement unopened snaps.” New iOS application Confide is responding with its own message service, and one investigative report finds that “Confide’s encrypted storage of message contents are indeed a step above Snapchat’s plain text storage … But totally self-destructing, these messages are not.” Separately, The Exchange reports on concerns over a new tracking feature on Apple’s iPhone. [Business Insider]


Other Jurisdictions

AU – Australian DPA Issues Further Guidelines on Australian Privacy Principles

The Australian data protection authority, the Office of the Australian Information Commissioner (OAIC), has issued two sets of guidelines on the Australian Privacy Principles (APPS) that will provide the framework for Australia’s Privacy Amendment (Enhancing Privacy Protection) Act 2012 scheduled to take effect beginning 12 March 2014. The most recent sets of guidelines relate to rights of data subjects under APP 12 ‘access to personal information’ and APP 13 ‘correction of personal information’.

Key points to note from APP 12:

  • APP entities that hold personal information about individuals must give individuals access to that personal information on request (whether in writing or otherwise informally).
  • Applications for access requests must be free of charge, and any charges relating to providing the information must not be excessive.
  • The right to access information under APP 12 operates alongside other legal procedures, e.g., the Freedom of Information Act (FOI Act).
  • APP entities can refuse to grant access to information by providing the individual written notice justifying the circumstances for refusal. These circumstances include the grounds for refusing consent under the FOI Act, as well as the following:
  • Reasonable belief that giving access would pose a serious threat to life, health or safety of an individual
  • Access would have unreasonable impact on privacy of other individuals
  • The request is frivolous or vexatious
  • Information relates to anticipated or existing legal proceedings and would not be disclosable under discovery
  • Access would reveal intention of negotiations with the individual or would prejudice enforcement activities for misconduct
  • Access would reveal information in connection with a commercially sensitive decision-making process
  • Giving access would be unlawful
  • APP entities must respond to access requests within 30 calendar days by either providing a notice of refusal or granting access in the manner requested by individual.

They key points to note from APP 13:

  • APP entities must take reasonable steps to correct personal information to ensure information held is accurate, up-to-date, relevant and not misleading.
  • Privacy policies must provide a mechanism for individuals to make a request to an APP entity for correction of their personal data.
  • Reasonable steps must be taken to notify other APP entities of the correction.
  • Individuals who request that their information be corrected but are refused must be provided with a complaint mechanism and written notice of the grounds for the refusal to correct the information.
  • It is not permissible to impose any charge on individuals for requesting the correction of their personal information.
  • APP entities must respond to requests for correction within 30 calendar days by either correcting the information or notifying the individual of the grounds for refusing the correction. []

AU – Australian Privacy Act Changes to Introduce Risky Uncertainties

Changes to the Australian Privacy Act are bound to trigger the same uncertainties introduced by the USA’s Sarbanes-Oxley (SOX) legislation, with organisations at risk of financial and reputation damage if unable to adjust to the challenges, according to Centrify APAC regional director, Matt Ramsey. “SOX compliance costs and complexity have run out of control in the US during the past decade. The SOX legislation is prescriptive without being descriptive; it tells you to jump, but not how high. As a result, US corporations need to jump a very high bar to avoid the threat of non-compliance.” From March, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 will implement a new set of harmonised privacy principles to regulate the handling of personal information by both Australian businesses and government agencies. Ramsay attributes the revisions to Cloud services and mobility. Ramsey claims these changes risk the cost and compliance challenges of the SOX legislation as it will require organisations to “take reasonable steps” to demonstrate compliance without specifying exact obligations. [Source]

AU – Australia: Will Entities Use Privacy Act “Get Out of Gaol Free” Cards?

In a series of blogs, Brett Winterford explores “the improbability of Privacy Act compliance,” noting that as the 12 March deadline looms, “Australia’s new Privacy Act will come into effect during a period of tremendous turbulence in the technology sector, owing to a surge in subscriptions to cloud computing services.” Winterford advises organisations that use or plan to use “public cloud computing services that are hosted offshore … consider Australia’s amended Privacy Act in detail.” Winterford also details the Office of the Australian Information Commissioner’s “two ‘get out of gaol’ cards“—commensurate contract and consent—that “corporate Australia will make use of.” [IT News]

AU – Australian Orgs Should Set Responsible Disclosure Expectations

Highlighting cases where organisations were informed—sometimes by researchers or “white hat” hackers—of vulnerabilities but did not take appropriate action, Bugcrowd’s Jonathan Cran is quoted as saying, “It really comes down to ‘don’t be a jerk’—on both sides. But that’s not legally scalable … Unless the organization defines what they expect with a responsible disclosure or bug bounty policy, the researcher is often left guessing.” Cran discusses the importance of organisations becoming “proactive in defining ‘reasonable’ or ‘responsible’—and setting expectations” or researchers are left “to decide what it means for both parties. Often, researchers have a sense of civic responsibility to let the public know what they’ve found.” [ZDNet]


Privacy (US)

US – Obama to Endorse Some NSA Changes; Telcos Off the Hook

President Barack Obama is expected to comment on possible changes to NSA surveillance reform. Though he is “expected to endorse changes to the way government collects millions of Americans’ phone records,” he will likely leave specific changes and decisions to an already divided Congress, the report states. In his speech, Obama is also expected to announce further privacy protections for non-U.S. citizens, and according to The New York Times, he will propose an advocate within the Foreign Intelligence Surveillance Court (FISC) but will not back a plan to have telecommunications firms retain metadata. PC World reports that FISC judges are not supporting calls for a privacy advocate within the court, and Politico reports that the Center for Security Policy has issued a report rejecting most of the recommendations set forth by an intelligence review group. Meanwhile, all five members of Obama’s intelligence review group testified before the Senate Judiciary Committee yesterday.

US – Obama to Announce NSA Recommendations This Week

President Barack Obama will announce the results of his review of the NSA surveillance programs on Friday, January 17. Privacy and Civil Liberties Oversight Board (PCLOB) Chairman David Medine, who met with the president last week, said, “We wanted to be able to provide input into the decision-making process.” The PCLOB is expected to release its own findings on January 23. The Hill reports on how Obama’s decisions around NSA reform have put his legacy on the line. Meanwhile, the European Parliament’s decision to have Edward Snowden testify on NSA surveillance programs has divided MEPs due to fears it could damage EU-U.S. relations. Politico reports that, based on last week’s Consumer Electronics Show, fears of NSA spying have not affected consumers’ excitement for emerging technology. However, according to a new survey , a quarter of Canadian and UK businesses are looking away from U.S.-based cloud storage companies due to NSA spying. [Source] See also: [SCOTUS Is Scared of Tech, But Privacy Pros Can Help]

US – Lawmakers Unsure of Obama’s NSA Reform

President Barack Obama met with a group of “hand-picked” lawmakers to discuss potential reform to the NSA surveillance programs. The meeting included proponents of existing programs—such as Sen. Diane Feinstein (D-CA)—and vocal critics, including Rep. Jim Sensenbrenner (R-WI). Several of the lawmakers left the meeting unconvinced the president was going to reform the programs enough. House Judiciary Chairman Bob Goodlatte (R-VA) said, “it’s increasingly clear that we need to take legislative action to reform” the agency’s intelligence gathering. Sen. Ron Wyden (D-OR) said, “The debate is clearly fluid” and that the president “is wrestling with these issues.” The Wall Street Journal reports Obama will extend privacy protections to noncitizens and will restructure the phone data program. Phone carriers could foot a bill of up to $60 million per year if they’re required to retain data for intelligence agencies. The NSA fallout is also prompting several states into action. [National Journal]

US – FTC Director of Consumer Protection Talks Priorities

The FTC’s Jessica Rich discusses her new role as director of the FTC’s Consumer Protection Bureau. Rich says “native advertising” will be big with the FTC in the near future. “I want to make a broader push into mobile, mobile security, mobile payments, making sure we are able to bring mobile investigations, just as we are able to bring brick-and-mortar investigations.” She adds that the time for privacy legislation has come. Meanwhile, recent data breaches at Target and Snapchat have incited calls from Washington, DC, for legislative action and raised questions about the FTC’s efficacy on data protection. [AdWeek]

US – Pamela Jones Harbour Moves to BakerHostetler

Former Federal Trade Commissioner Pamela Jones Harbour has moved to BakerHostetler where she will help lead its privacy and data protection team. Harbour, who served as a commissioner for six years, will work as a partner assisting clients with data breach notifications and assessments as well as advising on data transfers. “This is an exciting time to join the firm’s antitrust and privacy teams,” Harbour said in a statement. [The Hill]

US – Schneier Moves to Co3; Evidon Hires First COO

Co3 Systems has hired security and privacy expert Bruce Schneier as its chief technology officer, while Evidon has hired its first chief operating officer. Schneier currently serves as a fellow at Harvard’s Berkman Center for Internet and Society, board member of the Electronic Frontier Foundation and advisory board member of the Electronic Privacy Information Center. Emily Riley comes to Evidon from her prior role as a digital ad industry analyst for Jupiter Research and Forrester Research and, most recently, as a VP at behavioral targeting firm Audience Science. Riley says Evidon aims to help people understand the trade-off between free digital content and tracking technologies. [AdAge]


Privacy Enhancing Technologies (PETs)

WW – Confide App Erases Your Text Messages After They’re Read

Borrowing a page from Snapchat, a new iOS app promises to let users send self-destructing text messages. Confide is a free message-deleting IM app for iPhone, iPad, and iPod Touch users. You can send text messages to any e-mail address, either by choosing someone from your contact list or manually entering the address. To read your message, however, your recipient must also sign up for a Confide account and download the app. Viewing a message for the first time prompts them to do so. Reading the message on an iOS device requires your recipient to drag a finger across the screen to reveal each word. A read receipt is also sent to you once your message has been read. After the message is closed, though, it disappears for both the sender and the receiver, which is the whole point behind the app. The messages themselves are also private and encrypted to protect them on their journey. [Source]



US – Gov’t Seeks Access to Gun Buyers’ Mental Health Data

The White House announced two new executive actions “that would expand the government’s access to mental health information during background checks on gun buyers,” noting these “clarify what constitutes a mental health problem that might prohibit gun ownership and allow states more wiggle room in disclosing such personal medical information.” One executive action modifies the HIPAA Privacy Rule and allows mental health data “relevant to gun ownership” to be included in the National Instant Criminal Background Check System (NICS), while the other “clarifies what exactly in someone’s mental health history would prohibit them from owning or purchasing a gun.” [The Daily Caller]

US – Pending Legislation Would Require Inspection of Chinese IT Equipment

US legislators in both houses are expected to approve bills that would prohibit certain agencies from purchasing IT equipment manufactured in China until it is inspected by federal authorities. The provision is part of a 2014 fiscal spending package in the House of Representatives. The agencies that would be affected by the bills are the Department of Commerce, the Department of Justice, NASA, and the National Science Foundation. [NextGov] See also: [UAE May Scrap Satellite Deal with France Over Backdoors in US Components]

WW – Microsoft to End Support for Windows XP in April

In what appears to be a concerted effort to urge users to upgrade from Windows XP to a more current version of the operating system, Microsoft has announced that when is stops supporting XP in April, it will also cease support for Security Essentials on XP. [] [Ars Technica]

WW – The Internet of Things Poses a Growing Threat

Bruce Schneier says that embedded systems pose a growing security threat because “there is no good way to patch them.” He notes that two decades ago, PCs were facing a similar challenge, which has been addressed by full disclosure of vulnerabilities and automated patching. However, embedded systems are products of several different companies, none of which has particular incentive to make sure that they are secure. Schneier says that embedded systems vendors need to be pressured to create more secure products; driver software needs to be open-source; and automated update mechanisms need to be used to keep the products secure. ISPs are a likely locus to initiate this shift. [WIRED] See also: [Russia’s Olympic security to set new surveillance standard at Sochi]


Smart Cards

US – Startup Looks to Thwart Credit Card Hacking

A Texas-based start-up is planning to introduce new technology aimed at thwarting credit card hacking attacks like the 2013 holiday shopping season’s high-profile Target breach. Epic One is developing technology that protects credit cards with biometric readers that scan the cardholder’s fingerprint to avoid such hacks. The start-up will introduce its pilot cards later this year. “The root cause of fraud is the exposure of this information,” said Epic One CEO William Gomez Jr., adding, “The Epic One card does not hold any details of any credit cards. Neither does the Epic One application that runs on your smartphone. None of these devices hold any of your credit card information.” [Forbes]



US – Feinstein on Drones: “Proceed with Caution”

Sen. Dianne Feinstein (D-CA) once found “a drone peeking into the window of her home—the kind of cautionary tale she wants lawmakers to consider as they look at allowing commercial drone use.” Speaking as a special witness at a recent Senate Commerce Committee hearing on drones, Feinstein urged that her fellow legislators “proceed with caution.” Feinstein indicated privacy concerns are “significant” and, according to the report, called for “close scrutiny and recommended a search warrant requirement” for government-operated drones and “strong, binding enforceable privacy policies that govern drone operations … before the technology is upon us.” [Politico] See also: [US: Border-patrol drones being borrowed by other agencies more often than previously known]

US – NSA Using Radio Tech to Snoop on Machines Not Connected to Internet

The NSA has put malware on 100,000 computers that allow it to conduct surveillance, even when the machines are not connected to the Internet. The NSA has been using the technology since 2008. The technology involves the use of small transceivers and in some cases, small circuit boards placed inside targeted machines. [NY Times] [ComputerWorld] [NBC News] [Ars Technica] [SC Magazine] []

US – FISC Jurists Oppose Transparency, Oversight  Recommendations

Current and former Foreign Intelligence Surveillance Court judges says that White House task force recommendations for change to court procedures would place a greater burden on the court and hinder its ability to do its job. The letter, written by former FISC Chief Judge John D. Bates, expresses the jurists’ opposition to appointing an independent privacy advocate to represent public interest; requiring the FISC judges’ approval for national security letters; broadening the selection process of FISC judges; and the cessation of the NSA’s phone call metadata collection program. [Washington Post] [LA Times] [ComputerWorld] [CNET]

US – Both NSA Metadata Gathering Rulings Will be Appealed

Both recent rulings regarding the legality of the NSA’s phone metadata gathering program will be appealed. On Thursday, January 2, the ACLU filed a notice of appeal in its lawsuit challenging the data collection program; Judge William Pauley III dismissed the ACLU’s challenge the previous week. On Friday, January 3, the US Justice Department (DOJ) filed an appeal of a ruling from Judge Richard Leon in Klayman v. Obama, which found that the NSA’s data collection likely violates the constitution. [ComputerWorld] [ZDNet]

US – NSA Metadata Gathering Program Might Not Reach Supreme Court

If each of the federal judges’ rulings on NSA data gathering is upheld on appeal, it is likely the Supreme Court would step in to resolve the issue. However, according to Orin Kerr, a Fourth Amendment scholar at George Washington University, it is not a sure thing. Kerr points out in a Volokh Conspiracy post that the provision of the Patriot Act (Section 215) that is being held up as license to continue the snooping expires on June 1, 2015. By that time, legislators will likely be debating the issue, and this “lessens the likelihood of the Supreme Court stepping in to the debate at that time, both because the issue may be mooted by statute and because the Court may feel that statutory regulation is preferable to constitutional regulation in this context.” [WIRED] [Orin Kerr’s post] In the meantime, the Foreign Intelligence Surveillance Court (FISC) has renewed the NSA’s phone data collection program. The FISC has to renew the program every 90 days. The court makes clear that the program does not permit the NSA to collect the content of phone calls. [SC Magazine]

US – States Respond to Citizens’ Surveillance Concerns

While states don’t have the authority to shut down NSA surveillance, many state lawmakers are doing their best to enact legislation that will put limits on state and local law enforcement’s abilities. The need for limits on government surveillance of U.S. citizens is one of the few things Democrats and Republicans seem to agree on; according to a USA Today report, “the same proportion of Democrats and Republicans said they are more worried about their civil liberties than they are about terrorism.” From cellphone location data to drones, online browsing to license-plate scanning, coast to coast and left to right, state lawmakers are proposing anti-surveillance laws. In fact, Wisconsin Rep. David Craig noted, “There are so many different facets of technologies that can be misused that lawmakers need to keep our heads on a swivel.” Well, in this legislative session, it seems there’s a bill out there trying to stop every one of them. Many anti-surveillance bills have already become law, but here are some that are on their way down the pike. [US – NSA Insiders Reveal What Went Wrong]

Arizona – Arizona Sen. Mae Beavers (R-Mt. Juliet) says she will introduce legislation requiring state and local police agencies to obtain a warrant prior to “accessing or retrieving” residents’ location data through an electronic device, reports The Chronicle of Mt. Juliet. “We cannot let technological advances sidestep the Fourth Amendment,” said Beavers, who plans to model the legislation after a Montana law. And, as the Privacy Tracker previously reported, Sen. Kelli Ward (R-Lake Havasu City) also plans to introduce a bill to prohibit state and local law enforcement from providing support to the NSA and state-owned utilities from providing services to NSA facilities.

California – California Sens. Joel Anderson (R-San Diego) and Ted Lieu (D-Torrance) have introduced the Fourth Amendment Protection Act, which would make information collected by the NSA without a warrant inadmissible in state court. The law would also ban University of California and California State University employees from establishing “NSA research facilities or recruiting grounds,” reports Raw Story. The OffNow Coalition, a faction of the Tenth Amendment Center, helped to develop this bill along with other similar bills being considered in Oklahoma, Missouri and Kansas.

Indiana – The Indiana House Courts and Criminal Code Committee had its first hearing on a bill that would limit law enforcement’s use of drones and other surveillance equipment on private property, reports Rep. Eric Koch (R-Bedford) authored the bill, which requires search warrants for electronic surveillance or data collection, with some exceptions.

Kansas – As previously reported, State Rep. Brett Hildabrand (R-District 23) has pre-filed the Kansas Fourth Amendment Preservation and Protection Act, which addresses the issue of information sharing.

Maryland – Maryland Sen. Christopher Shank (R-Washington) announced plans to introduce four bills during the current Assembly that would restrict the ways local and state police use technology to monitor e-mail, location tracking through cell towers and license-plate readers, reports Herald Mail Media. Three of the four bills would require law enforcement to get a warrant, rather than a court order, prior to beginning surveillance activities, increasing the burden of proof for approval.

Massachusetts – Rep. Jonathan Hecht (D-Watertown) has introduced legislation that would put a 48-hour limit on police retention of data obtained through license-plate readers, unless it is directly related to an investigation.

Michigan –Rep. Sam Singh (D-East Lansing) wants to see limits on license-plate readers (LPRs) in that state, reports Landline Magazine. “His bill would prohibit LPRs from recording pictures of drivers, require that local department-level policies govern their use and allow the attorney general’s office to ban use of the technology at agencies found in violation,” the report states, noting, “The bill would also mandate that license-plate records collected by the readers must be deleted from data systems within 48 hours after they were collected. An exception would be made when the record is linked to criminal activity.”

Missouri – Sen. Will Kraus (R-Lee’s Summit) has filed SB 599 to restrict “the storage and use as evidence of data collected through automated license-plate reader systems.” The bill would require jurisdictions that collect data using an automatic license-plate reader to delete that data after 30 days,” according to Kraus’s website.And, as previously reported, a resolution proposed in the state would make information including e-mails, phone records and Internet records obtained without a warrant inadmissible in court

New Hampshire – While New Hampshire is currently the only state that prohibits the use of license-plate scanners, the House will consider a bill this week to authorize their use, reports CBS.

New Jersey – The New Jersey Assembly has approved new requirements for law enforcement and fire departments’ use of drones, reports The Star-Ledger. The bill had bipartisan sponsorship and passed 74-1. While it is very similar to a bill passed in the New Jersey Senate last summer, this bill includes a warrant requirement, which sponsors say would help protect personal privacy as that technology becomes more common. Reps. Amy H. Handlin (R-District 13) and Caroline Casagrande (R-District 11) in November introduced a bill that would require “judicial approval prior to installation or use of automated license-plate reader by law enforcement agency.”

Ohio – In Ohio, HB 69 would “prohibit the use of traffic law photo-monitoring devices by municipal corporations, counties, townships and the State Highway Patrol to detect traffic signal light and speed limit violations, except in certain circumstances.”

Oregon – Within the next month, Oregon lawmakers are expected to introduce at least three bills aimed at preserving privacy. The Oregonian reports the three known proposals will include one to limit the use of license-plate readers by law enforcement agencies; another to “exempt from public records laws the travel histories linked to electronic fare cards the transit agency plans to introduce in a few years,” and the last is aimed at prohibiting law enforcement agencies from obtaining cellphone location data, Internet, e-mail and social media account data and television-watching history without a warrant, except in certain circumstances. These proposals will come on the heels of the passing of a law that limits drone use by law enforcement in the state.

Virginia – Del. Bob Marshall (R-13th District) is sponsoring legislation that states, “a cellular phone or other wireless telecommunications device is a tracking device when it is used to track the movement of a person and that such use requires a warrant issued by a judicial officer.”

Wisconsin – Reps. David Craig (R-Vernon) and Fred Kessler (D-Milwaukee) and Sen. Tom Tiffany (R-Hazelhurst) introduced legislation last November that would limit police us of license-plate scanning. According to a Wisconsin State Journal report, “The bill would allow the cameras to be turned on only during the investigation of a crime. It also would prohibit sharing the stored information with nongovernment entities and require data destruction within 48 hours, unless it was necessary for a criminal investigation.”

US – Tracking Equipment Keeps Getting Cheaper, Study Finds

New research published in The Yale Law Journal by independent researcher Ashkan Soltani and New America Foundation’s Open Technology Institute Policy Director Kevin Bankston has found that the cost of tracking the location of an individual is growing dramatically cheaper. Based on work submitted to the Privacy Law Scholars Conference in 2013, Soltani writes on his personal blog, “tracking a suspect using a GPS device is 28 times cheaper than assigning officers to follow him.” Soltani also notes, “If technical and financial barriers previously provided some protection from large-scale surveillance by the government, these implicit protections have been essentially eliminated by the low costs of new surveillance technology,” adding, “Once the cost approaches zero, we will be left with only outdated laws as the limiting function.” [Ashkan Soltani]

US – “Granny Cams” Raise Privacy Concerns

The use of surveillance cameras or “granny cams” in nursing homes is a practice that is currently legal in Oklahoma, New Mexico and Texas, “to collect evidence of abuse and neglect.” While their use has positive implications for stopping abuse, the report cautions there are privacy implications not only for patients but for roommates, visitors and caregivers. In addition to the potential invasion of patients’ privacy during such personal activities as bathing, the report notes that those with dementia may be unable to consent to the surveillance. [AARP Blog]


Telecom / TV

US – Telcos Not Warming Up to Obama’s Retention Plan

Telephone companies are “quietly hesitating” at a potential plan to have them alter how they collect and retain Americans’ phone records to help the NSA’s surveillance programs. According to the report, phone company executives and their lawyers have said they prefer the NSA to keep control over the records. A representative from CTIA-The Wireless Association said, “Our members would oppose the imposition of data retention obligations that would require them to maintain customer data for longer than necessary.” One key concern for the phone companies is liability. Former NSA official Stewart Baker said Congress “grudgingly” gave legal protection to phone companies after the 2001 terrorist attacks. “The phone companies were seared by their experience in Congress and can’t be enthusiastic about a return engagement,” he added. [The Associated Press]


US Government Programs

US – Court Upholds “Reasonable Suspicion” Requirement for Device Searches

The US Supreme Court has let stand an appellate court ruling that says border agents may search electronic gadgets without reason for suspicion. However, the lower court ruling also found that for the border agents to conduct in-depth forensic analysis of the devices, they must have reasonable suspicion of criminal activity. The case involves a California man whose laptops and cameras were seized and searched upon his return to the US from Mexico. The agents found evidence of child pornography on the devices. The appellate court ruled that the agents did have reasonable suspicion to search Howard Cotterman’s devices because his name was on a watch list as he is a convicted sex offender and travels frequently to places known for sex tourism. While agents are allowed to search devices on a whim—just as they would a vehicle—the court upheld the appeals court ruling that using software to “decrypt password-protected files or to locate deleted files” cannot be done without facts pointing to illegal activity, the report states. [WIRED] [ComputerWorld]

US – FISC Approves Gov’t Metadata Collection

National Intelligence Director James Clapper released a memo stating that the government has filed an application with and received approval from the Foreign Intelligence Surveillance Court to collect telephony metadata in bulk. “It is the administration’s view … that the telephony metadata collection is lawful,” the memo states. Meanwhile, The New York Times reports on a federal appeals court ruling that allows the Justice Department to continue to withhold a memo that allegedly “opened a loophole in laws protecting the privacy of consumer data.” The Times also reports on Jill Kelley, who is seeking damages and an apology from the government for revealing her name in the David Petraeus scandal. Washington University in St. Louis Prof. Neil Richards said, “This case shows that privacy is really important and that the legal rules we have are not tailored for modern technology.” [NBC News]

US – One-Hour Breach Mandate Is Wasteful, Says GAO Report

A GAO report released last month calls into question the effectiveness of new U.S. Office of Management and Budget (OMB) rules that require federal agencies to report PII-related data breaches to the Department of Homeland Security within an hour of their discovery. Further, “OMB staff said that they were unaware of the rationale for the one-hour timeframe, other than a general concern that agencies report PII incidents promptly,” the report reads, while saying that agencies are likely to have little to report with so little time to investigate what happened and why. Meanwhile, there are privacy hurdles to overcome with teenagers and new online patient portals. How much information should parents be allowed to see, and how can that be controlled? [FierceGovernmentIT]


US Legislation

US – Sens. Push for More Data Privacy; FTC Wants “Regulatory Humility”

US senators are calling for action on data privacy legislation in the wake of the Target breach, while on the same day, Federal Trade Commissioner Maureen Ohlhausen called for “regulatory humility” in light of the emerging Internet of Things market. Sen. Deb Fischer (R-NB) said, “Our nation’s entire data security system is in desperate need of revamping … That’s going to require congressional action.” Sen. Patrick Leahy (D-VT) also reintroduced his Personal Data Privacy and Security Act . Amidst such calls for legislative action, Ohlhausen said in prepared remarks at the CES that if new technologies do give rise to harms, “we should carefully consider whether existing laws and regulations are sufficient to address them before assuming that new rules are required.” Meanwhile, in light of a recent GAO report, Sens. Tom Coburn (R-OK) and Susan Collins (R-ME) are calling on agencies to adhere more strictly to federal guidelines and for the Office of Management and Budget to update its policies and increase oversight of breach procedures. [The Hill]

US – Documented Consent Needed to Avoid TCPA Claims

A federal court has denied a motion to dismiss a Telephone Communications Protection Act (TCPA) case, indicating that companies need to have proof of consent in order to avoid TCPA claims. The case involves a customer offering up her cellphone number in a loan application, which the Federal Communication Commission (FCC) has held as a valid form of prior consent; however, the company did not produce the customer’s actual application but an example of the application the company used at the time. “Were Defendant CheckSmart able to submit Plaintiff’s actual loan application showing that she provided these phone numbers, the court would need to evaluate the issue further,” wrote Judge Karon Owen Bowdre. According to the report, this serves as “a reminder that companies should ensure that they collect and retain sufficient documentation of compliance with the TCPA.” [Inside Privacy]

US – Ohlhausen: We Don’t Need New Laws

Law360 reports that during a Technology Policy Institute event last week, FTC Commissioner Maureen Ohlhausen pushed for government officials to “focus on enforcing the powerful laws we already have,” adding, “We simply do not need new talk, new laws or new regulations.” Ohlhausen voiced her opinion that Big Data doesn’t raise “fundamentally new issues,” and before assuming new rules are needed, officials should consider whether existing law will address problems that arise from new technologies.

US – House Passes Two ACA Security, Transparency Bills

On January 10, the House of Representatives passed the Health Exchange Security and Transparency Act that would require the Department of Health and Human Services to notify individuals within 48 hours of a health exchange breach. While House Republicans say it’s important for patients to know of breaches quickly, President Barack Obama has said it would mean “unrealistic and costly paperwork requirements,” noting that it does nothing to improve perceived security flaws in the exchanges. The bill is expected to fail in the Senate. [HealthIT Security] On January 16, it passed the Exchange Information Disclosure Act, which, among other provisions, would mean Congress would receive weekly reports on technical problems with, “including those related to consumer privacy and data security,” [reports GovInfo Security]

US – 20 Bills to Watch This Year

Inside Privacy offers up a list of pending legislation that privacy professionals should keep an eye on this year. Included in the list are the Personal Data Privacy and Security Act of 2014, the Electronic Communications Privacy Act Amendments Act of 2013 and the Drone Aircraft Privacy and Transparency Act of 2013 in the Senate and in the House, the Do Not Track Kids Act, the Cyber Privacy Fortification Act of 2013 and the GPS Act.

US – CA Rep. Introduces NSA Collection Restructuring Bill

Rep. Adam Schiff (D-CA) has introduced a proposal that would eliminate call records from the types of information the government can collect under the USA PATRIOT Act, according to a press release. Instead, approval from the Foreign Intelligence Surveillance Court would be required to access call records on a case-by-case basis. The bill “mirrors the restructuring of the telephone metadata program recommended by the President’s Review Group on Intelligence and Communications Technologies, as well as changes that Congressman Schiff has been advocating for since before the metadata program was made public,” the release states.

US – Proposed California Bill Would Ban Agencies from Helping NSA

Two California state senators have introduced legislation that would prohibit state officials, state agencies, and companies providing services to the state from helping the NSA with surveillance without a specific warrant. Information gathered without such a warrant would be inadmissible as evidence in California courts. State and locally owned utilities would also be prohibited from supplying NSA facilities with water and electricity. [ComputerWorld] [SC Magazine]

US – CA Bill Would Prohibit Selling of License-Plate Camera Data

Sen. Jerry Hill (D-San Mateo) has introduced SB 893, which would prevent police from selling data from license-plate reading cameras to privacy parties, while still allowing them to use the data in investigations. The bill would also require police to obtain a warrant to access license-plate data more than five years old and allow victims to sue and recover damages. [The Almanac]

US – Florida to Reconsider Prescription Drug Database

State Senator Aaron Bean (R-District 4) is drafting a bill that would restrict access to the state’s prescription drug database. The Florida Department of Health last year gave defense attorneys the prescription histories of 3,300 people. Bean claims this was outside the scope, and the incident inspired him to write legislation to address it. [WOKV]

US – Maine Considering Social Media Bill

LD 1194, sponsored by Rep. Michael McClellan (R-Raymond), would prohibit employers or educational institutions from requiring a student, employee or prospective employee to provide access to social media or personal e-mail accounts.  Opponents of the bill say it could make it harder for school officials to address cyberbullying; however, an ACLU of Maine representative said provisions in the bill allow for schools to access an account after contacting a parent in specific circumstances. The Judiciary Committee is scheduled to consider the bill again this week. [Kennebec Journal]

US – Maryland to Consider Anti-Surveillance Package

A bipartisan group of lawmakers in Maryland introduced a package of bills that would require state and local police to get a warrant before intercepting e-mail communications or tracking individuals using drones, mobile phones or license-plate readers, reports The Washington Post. “The technology has gotten way out in front of the law,” said Sen. Jaime Raskin (D-Montgomery).

US – South Carolina Considers Digital Privacy Legislation

Members of the South Carolina House say they plan to pass a digital privacy law this year that would give similar protections to mobile phones as afforded to homes, reports House Speaker Bobby Harrell (R-Charleston) says since the 2012 breach at the Department of Revenue, the issue of protecting citizens’ data has gained momentum, noting, “In today’s society, privacy is becoming a harder and harder thing to protect.” A state law enforcement spokeswoman said officers have concerns that a digital privacy law would “affect our ability to get violent offenders off the streets.”

US – NH Reps. Introduce State Drone Privacy Bill

After a failed attempt to pass a drone privacy bill last year, New Hampshire Reps. Neal Kurk (R-District 2) and Joe Duarte (R-District 2) have introduced bills requiring police to get a warrant in order to use information obtained through drone use in court. In an effort to thwart concerns voiced last year, Kurk’s bill includes a provision stating that it would only take effect if allowed under federal law. [Associated Press]

US – Washington Sen. Calls for Student Data Study

Rep. Elizabeth Scott (D-Monroe) has sponsored a bill calling for a study into how much student data is being released without consent. The bill aims to help the legislature decide whether it should change data handling practices. Scott says she’s concerned about changes to the Family Educational Rights and Privacy Act that allow personally identifiable data to be shared with companies, adding that the growth of programs like the Common Core State Standards will increase the amount of data collected. The House Education Committee is scheduled to discuss the bill on Wednesday. [KUOW]

KY – Kenyan Official to Get Access to Mobile Network User Info

The Kenya Information and Communication Amendment Act 2013 is expected to be signed into law this week and would mean the Communications Commission of Kenya (CCK) would have unlimited access to mobile network consumers’ confidential information. There are questions surrounding the constitutionality of the act, however. While one article guarantees citizens a right to privacy, another—used to justify the regulation—allows any citizen access to “information held by the state or any information that is held by another person and that is required for the exercise or protection of any right or fundamental freedom,” the report states. [ITWeb Africa]

US – U.S. Lawmakers to Introduce Bill on Driver Privacy

Privacy concerns based on increasingly sophisticated technology systems in cars. While automakers say they are responding to consumer demand, privacy advocates disagree. Sens. John Hoeven (R-ND) and Amy Klobuchar (D-MN) will soon introduce a bill that would put car owners in control of the data collected on the vehicle event data recorders commonly known as black boxes. “We’ve got real privacy concerns on the part of the public,” Hoeven said. “People are very concerned about their personal privacy, especially as technology continues to advance.” [The New York Times]

US – Court Denies Suit Alleging Data Broker’s Liability

The U.S. Supreme Court has denied a New York man’s request to hold a data broker liable for illegally selling data taken from Department of Motor Vehicles records. The records were sold to a stranger who allegedly tracked down Erik Gordon and harassed him. The court “refused to grant certiorari” to Gordon’s challenge to a Second Circuit ruling, which rejected his efforts to sue Softech International for the alleged privacy breach. [Law360]

US – TeleCheck to Pay $3.5M for FCRA Violations

The FTC announced that TeleCheck Services, a check authorization service company, along with its associated debt-collection entity, TRS Recovery Services, has agreed to pay $3.5 million as part of a settlement. The FTC charged the firm with violating the Fair Credit Reporting Act (FCRA) by not following proper dispute procedures and sometimes not investigating disputes at all when consumers had their checks denied by retailers based on TeleCheck’s information. Further, the FTC claimed TRS did not abide by the “Furnisher Rule,” which mandates that those providing credit information ensure that information’s accuracy and integrity. The settlement amount is the second-largest for a FCRA violation. [Full Story]

US – Kentucky May Become 47th Breach Notification State

Breach notification bills are beginning to pile up in the U.S. Senate, and lawmakers in Kentucky have introduced data breach notification legislation that, if passed, would make Kentucky the 47th state to enact such legislation. One expert says there currently isn’t support for a bill covering the private sector, but there is for the public sector. [GovInfoSecurity]

US – Anti-NSA Surveillance Legislation Proposed in MO and KS

A resolution proposed in Missouri would make e-mails, phone records and Internet records, among others, obtained without a warrant inadmissible in court, reports Tenth Amendment Center. SJR 27 proposes an amendment to the state’s constitution that adds “electronic communications and data” to the list of things protected from unreasonable searches and seizures. In Kansas, State Rep. Brett Hildabrand has pre-filed the Kansas Fourth Amendment Preservation and Protection Act, which addresses the issue of information sharing. “The bill would ban all state and local government in the state from ‘possessing or attempting to possess’ such information unless a person gives ‘express and informed consent,’ or the local or state government ‘obtains a warrant, upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized,’” the report states. [The Washington Times]

CY – New Data Protection Bill in the Caymans Expected

After receiving less-than-positive feedback last time it was introduced for comment, a revised data protection bill is expected to come before the Legislative Assembly in the coming year. The bill would apply to both public- and private-sector organizations in the Cayman Islands as well as “entities outside the islands that have certain data processing functions here,” the report states. The Human Rights Commission has reviewed the bill and passed it along to the Legislative Assembly, identifying some concerns including the complexity of the bill. []

US – PA Bill Would Expand DNA Collection

The Pennsylvania House of Representatives is considering a bill that would require police to collect DNA samples from people arrested for any felony or misdemeanor that requires registration as a sex offender. Senate Majority Leader Dominic Pileggi (R-DE) introduced the bill and says passing the bill would put the state on par with others that have expanded their DNA databases. [TribLive]

US – Trends for 2014? Try Increased Enforcement

California’s Do-Not-Track (DNT) law has gone into effect, mandating websites indicate in their privacy policies how they respond to DNT signals. Interactive Advertising Bureau Senior VP and General Counsel Mike Zaneis said, “There’s always smoke in a handful of state legislatures, but there’s only fire in California.” In light of NSA surveillance of Europe, the EU is expected to come down strong on its Safe Harbor agreement with the U.S. ZwillGen Privacy Counsel Mason Weisz said, “The Europeans are upset, and I think there will be some attempt to placate them in the U.S.” Finally, industry and federal enforcement is expected. The Better Business Bureau has promised to increase enforcement in the behavioral advertising ecosystem, while the FTC is expected to bolster enforcement of the recently updated Children’s Online Privacy Protection Act. With pressure from industry and federal regulators, Weisz said it will “encourage companies to make more representations … and more representations means more risk.” [AdAge]


Workplace Privacy

US – Balancing Wellness Programs and Proper Data Sharing

HR pro Michelle Hicks writes on the proper way to balance implementation of wellness programs at your firm while being mindful of employee privacy. While these programs offer many benefits both for the employees themselves and for the corporate bottom line, they also “ask employees to share information that is so personal that they may not even tell their spouse,” Hicks writes, “like their weight and their body mass index.” She then walks you through the important questions to be asking, information to be sharing and practices to put in place so that both employer and employee are protected. [Idaho Business Journal]

WW – When the Quantified Self Is In the Office

As the quantified-self movement continues to grow more popular, how does it fit into the workplace? Stanford Graduate School of Business Associate Prof. Harikesh Nair said, “It’s definitely an incredible revolution that is going to happen in workplace measurement,” adding it can be a positive development for businesses, giving employers clearer insight on how their employees interact with one another and what makes them successful, the report states. One company is using wearable devices to track its sales staff to improve responsiveness and productivity—which has shown a five- to 10-percent raise in productivity gains. [Fast Company]

US – Overview of Workplace Privacy Legislation for 2014

New laws that went into effect on January 1 are a harbinger of what employers may expect to see in the coming year regarding workplace privacy: more restrictions on access to applicants’ and employees’ criminal history, credit information and personal social media content. To further complicate the challenges of addressing privacy in the workplace, employers will be required to grapple with next-generation issues raised by the use of social media as a business tool and the increasing adoption of bring your own device (BYOD) programs. As reflected in the summary below, the ever-shifting balance between employer prerogative and employee privacy likely will continue to move in a direction that favors employee privacy.

Criminal History Information: With the start of 2014, Minnesota and Rhode Island joined the wave of jurisdictions that have “ban-the-box” legislation. These laws generally prohibit employers from requesting criminal history information in the employment application. Ban-the-box laws have also been enacted in Buffalo, NY; Hawaii; Massachusetts; Newark, NJ; Philadelphia, PA, and Seattle, WA. Similar bills are pending in 26 states. These laws create challenges for employers because they establish both varying rules on the point in the hiring process at which an employer can request criminal history information and different procedural requirements surrounding such requests. Also effective on January 1 is a new California law that prohibits employers from asking about or considering information concerning applicants’ criminal convictions that were judicially dismissed or ordered sealed. This new law adds to a growing list of state law restrictions on employers’ inquiries into criminal history information—in addition to restrictions on inquiries about criminal history in the employment application. In addition to new legislation in this area, employers likely will also see continued aggressive enforcement by the Equal Employment Opportunity Commission (EEOC) regarding employers’ use of criminal history for employment decisions and increased litigation by the plaintiffs’ class action bar which won several seven-figure settlements in 2013 based on employers’ alleged violations of the federal Fair Credit Reporting Act (FCRA) when conducting criminal history checks.

Credit Information: On January 1, regulations implementing Colorado’s Employment Opportunity Act became effective. The law and its implementing regulations are similar to laws enacted in nine other states that restrict the use of credit information for employment purposes. These laws generally prohibit employers from procuring credit information on applicants and employees unless the information is “substantially job related.” However, the laws establish materially different definitions of that key statutory term. The states that have enacted such laws, in addition to Colorado, include California, Connecticut, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont and Washington. Similar bills are pending in 35 states. In addition, in December 2013, U.S. Senator Elizabeth Warren introduced a bill that would impose restrictions on employers’ use of credit information for employment purposes that are more stringent than any of these state laws.

Social Media Passwords: On January 1, Oregon became the twelfth state with a “social media password protection” law, joining Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Utah, and Washington. These laws share one common thread: they all prohibit employers from asking applicants for their user name, password or other login credentials for their personal social media accounts, and all of the laws, except New Mexico’s, impose the same prohibition with respect to employees. Unfortunately, beyond that, the laws vary materially in terms of prohibited conduct, exceptions and remedies. Employers will likely face increasing complexity in this area in 2014 as bills addressing access to applicants’ and employees’ personal social media accounts are pending in 15 states.

Other Social Media Issues: Since January 2011, the National Labor Relations Board (NLRB or “Board”) has repeatedly struck down provisions of employers’ social media policies and reversed employer discipline of employees based on employees’ personal social media activity. According to the Board, these employers violated Section 7 of the National Labor Relations Act (NLRA) by implementing policies that interfered with employees’ right to discuss the terms and conditions of employment or by disciplining employees for exercising that right in social media. Because social media have become an integral part of daily life for so many employees, in 2014, employers will continue to confront these issues. Employers also may encounter a new set of issues arising from their growing reliance on social media to advance their business interests. Recent decisions by the NLRB’s administrative law judges and recent statements by the NLRB’s recently confirmed general counsel suggest that if employers allow employees to use corporate social media platforms, such as Yammer or Chatter, or corporate social media pages for non-business purposes, the NLRB will attempt to impose the same restrictions on employers that it has applied to employees’ personal social media activity. In other words, without carefully drafted policies or terms of use, employers run the risk that corporate-sponsored social media sites could be subverted for employees’ complaints about the terms and conditions of employment.

Bring Your Own Device: The “consumerization of IT” will continue to expand in 2014 as more employers hope to reap savings from employees using their personal devices, rather than corporate-owned devices, to conduct their employer’s business. These bring your own device programs pose fundamental challenges for employers seeking to balance the need to safeguard customer and corporate data without unlawfully accessing employees’ personal information. While many employers have addressed the balance through BYOD policies and user agreements, maintaining that balance will become only more challenging to maintain in 2014 from an operational perspective as employees increasingly rely on mobile apps to store sensitive information about themselves, such as blood pressure, blood sugar level and heart rate. For multinational employers, the roll-out of BYOD programs in 2014 to their employees in the European Union and other jurisdictions with broad data protection laws can create even more substantial challenges. In many of these jurisdictions, employers face greater restrictions than in the U.S. on access to an employee’s personal device. In addition, employers must implement systems that will permit data subjects to obtain access to, and update, the data subject’s personal data even when it is stored on an employee’s personal device.

Conclusions and Recommendations: In sum, it is likely that two major trends will continue to play out in 2014 in the area of workplace privacy, and in a direction that favors employees. First, legislators, enforcement agencies and the plaintiffs’ bar will likely continue their efforts to narrow the scope of information that employers can consider when making employment decisions about applicants and employees. Second, technology will continue to blur the lines between work and personal life, with personal life expanding into work life—not the other way around. However, the widening scope of the NLRA and the increasing number of countries with broad data protection laws will compel employers to tolerate this “intrusion” of personal life into work. Employers should consider the following steps in response to these trends:

  • Review existing practices for collecting and using criminal history, credit and personal media information about applicants and employees and implement policies to ensure compliance with state law restrictions on the collection of such information as well as with the federal Fair Credit Reporting Act’s background check requirements;
  • Implement a social media policy, or update the organization’s existing policy, to address recent NLRB decisions with respect to both employees’ personal social media activity and employees’ social media activity on the employer’s behalf;
  • Require that all U.S. employees execute a BYOD user agreement before permitting them to use a personal mobile device to conduct company business;
  • Before rolling out a BYOD program to non-U.S. employees, evaluate whether local law will permit the employer to take the necessary steps (such as access to, and monitoring of, the personal device and remote wipe) to safeguard corporate and customer data and develop systems for complying with requests by data subjects to exercise their rights with respect to data stored on employees’ personal devices.


16-31 December 2013


WW – Advancements in Facial Recognition Raise Privacy Questions

Facial recognition technology is rapidly evolving, “using frame-by-frame video analysis to read subtle muscular changes that flash across our faces in milliseconds, signaling emotions like happiness, sadness and disgust.” While there may be benefits to such face-reading software—such as recognizing confusion on the face of an online student and offering tutoring options—one U.S. privacy attorney notes such technology raises concerns. “The unguarded expressions that flit across our faces aren’t always the ones we want other people to readily identify,” Ginger McCall said, adding, “Private companies are developing this technology now. But you can be sure government agencies, especially in security, are taking an interest, too.” [The New York Times]

WW – How Reflections in Victim’s Eyes Could Help Identify Perpetrators in Hostage Situations

New research suggests that police investigating crimes in which the victims were photographed may find hidden clues by looking for reflections in victims’ eyes. Pupils, the researchers said, can reveal “surprisingly rich” information, as they essentially act as a “black mirror.” By zooming in on the eyes and adjusting the contrast, police investigators could potentially use high-resolution photographs to identify a victim’s surroundings, including their assailant. The article was written by psychologists Rob Jenkins, of the University of York in England, and Christie Kerr, of the University of Glasgow. To test their theory, the researchers shot “passport-style” photographs of individuals and then zoomed in to recover facial images of bystanders in the reflections of subjects’ eyes. The reflected facial images were typically about 30,000 times smaller than the subjects’ faces. Thus, the quality of the images was not great, the researchers wrote. Despite the poor quality, study participants who were shown eye-reflected images of people they did not know were still able to identify them later in a face-matching test 71% of the time. When shown eye-reflected images of people they did know, study participants were able to identify them 84% of the time. “Our findings thus highlight the remarkable robustness of human face recognition, as well as the untapped potential of high-resolution photography,” Jenkins said in a news release. [The National Post]

WW – Can Robots Better Spot Terrorists at Airports?

Aviation and government authorities are starting to use machines in lieu of people to verify the identities of fliers by scanning their faces, irises or fingerprints. Dozens of airports in Europe, Australia and the U.S. already employ such technology so passengers can pass immigration checks without showing identification to, or talking with, a person. Now, several major airports in Europe have started using these automated ID checks at security checkpoints and boarding gates. Ultimately, the technology could “get rid of the boarding pass completely,” with fliers’ faces serving as their tickets, said Michael Ibbitson, chief information officer of London Gatwick Airport. Gatwick performed a trial this year in which it processed 3,000 British Airways fliers without boarding passes. The fliers scanned their irises when checking in, enabling cameras at security checkpoints and boarding gates to automatically recognize them. “We’re only just starting to see what biometrics can do,” he said. Critics, however, worry that relying too much on automation will dull the senses of human screeners and remove the human intuition that can detect when something just doesn’t seem right. About 28% of the world’s airports now use biometric technology, up from 18% in 2008, according to a survey by SITA, an airline IT provider. [Wall Sttreet Journal]

US – Tech Giants and Privacy Advocates Square Off Over Facial Recognition

Facebook Inc., Wal-Mart Stores Inc. and other companies planning to use facial recognition scans for security or tailored sales pitches will help write rules for how images and online profiles can be used. The U.S. Department of Commerce will start meeting with industry and privacy advocates in February to draft a voluntary code of conduct for using facial recognition products, according to a public notice. The draft will ready by June. The code of conduct will apply only to commercial use, not to how law enforcement or spy agencies may use it. [The Vancouver Sun] [Facebook facial recognition matches abused child’s image to aid in arrest]


CA – Stoddart Departs Commissioner’s Post

Privacy Commissioner Jennifer Stoddart is departing from office and the work she did while there, including taking on big companies like Google and Facebook in defence of Canada’s privacy laws. She’s also been an “outspoken critic” of how the federal government handles and protects Canadians’ personal information and has called for an update to the Privacy Act and the Personal Information Protection and Electronic Documents Act. Stoddart recently gave an exit interview in which she discussed the problems Canada faces, including protecting privacy rights in the face of new technologies such as drones and facial recognition. Assistant Privacy Commissioner Chantal Bernier has stepped up as interim privacy commissioner until Stoddart is replaced. [Vancouver Sun]

CA – Cavoukian Investigating Report of Data-Sharing with Border Services

Ontario Information and Privacy Commissioner Ann Cavoukian will investigate reports of private health information “being shared with U.S. border services, saying it’s a matter ‘of grave concern’ to her.” In an e-mail to the provinces’ New Democrats (NDP), who sought her help, Cavoukian noted her office “will investigate the matter and ensure that the personal health information of Ontarians is not being compromised by any organizations under my jurisdiction,” the report states, noting the NDP’s France Gélinas indicated being “contacted by three people who have been denied entry” into the U.S. based on personal health reasons. “All Ontarians need to be assured that their personal information is never shared without their consent,” Gélinas said. [Huffington Post] SEE ALSO: [Cavoukian Discusses Privacy by Design on U.S. Public Radio] and [Canadian spy watchdog decries ‘misinformation’ flowing from recent Snowden leaks]

CA – Commissioner Calls on Ministry to Take Action After Breach

Saskatchewan Privacy Commissioner Gary Dickson says the Ministry of Highways must take further action after a worker snooped on a driver. Following a traffic incident between a transport compliance branch employee and another driver, the employee looked up the driver’s personal details via the Saskatchewan Government Insurance (SGI) database and then contacted the driver, the report states. The driver then complained to SGI and the Royal Canadian Mounted Police. Employees of the transport compliance branch are permitted to use the SGI database only for certain purposes. The employee has been suspended for 20 days without pay, according to the highways minister, but the privacy commissioner wants stronger action. [Times-Colonist]

CA – Commissioner: Pharmacy Employee Broke Province’s Rules

Alberta Privacy Commissioner Jill Clayton has said a “casual employee at a pharmacy inside a southeast Calgary Shoppers Drug Mart contravened the province’s Health Information Act last year when he phoned and tried to Facebook ‘friend’ a woman who had filed a prescription.” “Employers have a responsibility to inform and train their staff on the appropriate use of health information,” Clayton said, adding, “Health information systems are for healthcare, not matchmaking.” Clayton’s investigation found the employee, who is no longer employed at the pharmacy, misused health information while the pharmacy’s manager did not implement appropriate safeguards. [CBC News]

CA – Opinion: Bill C-13 Is Unnecessary

In a National Post op-ed, George Jonas examines the Protecting Canadians from Online Crime Act, often referred to us Bill C-13 or the anti-cyberbullying law, noting that while he “wasn’t unduly concerned about it when it was being attacked by its critics,” his perspective has shifted “when the government started defending it.” He writes that the critics did little to persuade him that Bill C-13 was a bad law, but “the defenders have convinced me that the law is worse than bad: It’s unnecessary. What it outlaws for a good reason is already against the law; the rest is just the state trying to enter the nation’s computer rooms.” [National Post]

CA – CSEC Sends Strong Message of Privacy to New Recruits

Watch out for foreign spies, hackers, terrorist sympathizers and disgruntled employees. Tell acquaintances you work for a “generic” government agency. Leave any iPods, USB sticks, and cellphones at home. At day’s end, turn off your computers, lock down files, and make sure not to take home anything classified. Spilling secrets means risking going to jail. The “CSEC 101: Foundational Learning Curriculum,” comprises dozens of PowerPoint decks that are intended to help new employees at the Ottawa agency find their feet. The Globe and Mail obtained the 650-page manual through Access to Information laws. [Globe and Mail]


WW – Study: People Willing to Exchange Privacy for Cost Savings

A new survey indicates just how much privacy people are willing to trade in exchange for monetary benefits. The Intel and Penn Schoen Berland survey, which polled people in eight countries, found that 70% would be willing to share data from a “smart toilet” if it meant lower healthcare costs, and 84% would be willing to share vital statistics such as blood pressure or lab tests. The survey also found 75% would be willing to share data obtained via a health monitor they could swallow. [WIRE] See also: [Data-Driven Dating: How Data Are Shaping Our Most Intimate Personal Relationships] And also: [Yes, Consent Is Dead. Further, Continuing To Give It A Central Role Is Dangerous]

US – Customized Airline Deals Raise Privacy Concerns

When you go online to search for an airfare, you often see the lowest price appear at the top of your computer screen. But what if your airline search site instead offered you a customized flight package deal—adding extras like wireless Internet access and a seat with extra legroom—based on what you have booked in the past? In the future, airlines will increasingly offer you customized airfares based on detailed information carriers have collected, even data about your income, the neighborhood where you live and your travel patterns, according to industry experts. It’s a trend that worries consumer advocates. “It will be the death of comparison shopping,” said Charles Leocha, director of the nonprofit Consumer Travel Alliance and author on travelers rights. A consumer protection panel, appointed by the U.S. Department of Transportation, will meet in Washington to discuss customized airfare pricing. The panel could recommend a new federal rule that requires airlines to disclose what information they are collecting from travelers. [LA Times]

WW – Study: Consumers Will Pay $5 for an App That Respects Their Privacy

A new report finds that people are weary of the hidden costs of free. A new study from economists at the University of Colorado finds that the average consumer would prefer to pay small fees for their apps, in exchange for keeping their information private and their screens uncluttered. In their study, Scott J. Savage and Donald M. Waldman surveyed 1,700 smartphone users, presenting them with a set of apps they could purchase. One of the apps was a real, free app, currently available in the iTunes and Google Play stores. Five other apps were also suggested, and were said to have exactly the same functionality as the free app. But these five came with varying levels of privacy and advertising protections (some protected location data, others address book contents, and so on), and all had a price tag. What Savage and Waldman found is that consumers were willing to spend a bit more to keep their data to themselves, and just how much depended on which data were at stake. For example, on average, consumers were willing to spend $2.28 for an app that would not read their browser history; $4.05 for an app that would not have access to their contacts; $1.19 for an app that did not track their location; $1.75 for an app that did not obtain their phone’s ID number; $3.58 to prevent an app from having access to the contents of their text messages; and $2.12 for an app that had no advertising. Because the “average” app (as determined from a sample of more than 15,000 Android apps) has both advertising and access to a person’s location and their phone’s ID, Savage and Waldman say that paid versions of such apps could rake in somewhere around $5 per download. That’s way, way more than the pocket change that most free apps bring in per download. What’s more, Savage and Waldman use that $5 figure and to do some back-of-the-envelope figuring: Given that the average consumer in their study has 23 apps, and given how many smartphone users there are in the U.S., they calculated the total amount that consumers would spend, if only the apps were there for them to buy: $16 billion. And that’s the conservative, lower-bound estimate. [Reuters]

WW – Privacy Messages Sent Through Art

Last year, approximately 4.7 million passwords were stolen from LinkedIn and leaked online. To many, it was a concerning development, but for one person, the event provided an opportunity to make art. Conceptual artist Aram Bartholl has unveiled “Forgot Your Password,” an exhibit featuring eight books containing all the passwords arranged in alphabetical order, now on display in Germany. This is just one of countless artistic creations riffing on privacy in the modern world. This Privacy Perspectives post looks into a variety of artistic expressions of privacy, including a look at the IAPP’s Art Gallery. [Source]

US – Consumers Warming Up to Smart Meters

Consumers’ fears over smart meters are beginning to dissipate. That’s according to a survey by Navigant Research, which found the percentage of customers who have “favorable” or “very favorable” attitudes toward smart meters has increased from about 37 percent in 2010 to about 43 percent in 2013. While the numbers are improving, “utilities still have some distance to go in building majority support for these technologies.” [FierceSmartGrid]


US – State Employee Downloaded SSNs to Personal Computer

Despite a warning on computer security, a state employee who resigned last week says he downloaded data on 6,300 teachers so he could work from home. The 24-year-old former Tennessee Department of Treasury worker told authorities he e-mailed data from a state computer system with a personal account. He uploaded a Tennessee Consolidated Retirement System file containing Social Security numbers on active teachers, violating the treasury’s privacy policy. The man has not been charged with a crime, but all affected teachers have been notified. [The Tennessean]

US – Voter Info for Sale in Oregon

The Oregon Secretary of State’s Office has made nearly $90,000 off fees during the past five years by selling voter information to political parties or campaigns and, sometimes, to private corporations who turn around and sell the data for a profit. The state charges $500 for the database, which includes full names, addresses, phone numbers, date of birth, party registration and voter history. It does not include how anyone voted. The people who buy the database are not supposed to use it for commercial purposes, said Tony Green, a spokesman for Secretary of State Kate Brown. In fact, they must sign a form agreeing not to do so. Records show that many for-profit companies have purchased the entire database during the past five years. Green said the law does not define “commercial purposes,” and the state relies on complaints before enforcement. First-time violators are fined $75. Just one complaint has been filed since 2006, and it was against Oregon Health & Science University, which is “a public corporation and not considered operating for commercial purposes,” Green said. Other states, including California and Washington, have similar restrictions on how data can be used; however, they levy very different consequences. In Washington, for example, misuse of the data is a class C felony punishable by up to five years in prison and/or a $10,000 fine. Records show Oregon has sold the database to companies all over theU.S. who are using it to make a profit despite having signed the affidavit. [Statesman Journal]

US – US Federal Election Commission Audit Finds Computer Security Issues Unaddressed

An audit report from the Office of Inspector General of the Federal Election Commission (FEC) says the agency has not taken steps to improve computer security. An intrusion in 2012 compromised a Commissioner’s user account so that the attackers could use it to access confidential information. FEC has suffered two additional intrusions since August 2013. The audit report notes, “Failure to develop a strong IT security program places FEC at high risk of continued network intrusions.” [Rollcall] [Report]

US – Kerry to Work on Privacy, Big Data at MIT

Cameron Kerry, former acting secretary and general counsel of the Department of Commerce, will join the MIT Media Lab as a visiting scholar. Kerry will work with Prof. Alex “Sandy” Pentland and the Human Dynamics research group on topics related to privacy and personal data ownership as well as on Pentland’s Big Data for Public Good research initiative, the report states. Pentland said Kerry will be “instrumental in bringing together key players, including governments, multilateral organizations and multinational corporations.” [MIT News]


WW – Time to Rethink E-mail Privacy?

The world of privacy is changing, including a recent change to the terms of service for Rogers Communications, a service managed by Yahoo. The new terms include the notice that Yahoo “identifies words, links, people and subjects from your e-mail messages and other messages archived” in order for the company to better deliver relevant ads, among others. One journalist, according to the report, thinks the changes ask him to give up too much privacy, and a Canadian-based regulatory group has joined a global effort to urge advertisers to disclose to users when ads are derived from such e-mail tracking. [Globe & Mail]

Electronic Records

UK – Finra Fines Barclays Capital Over Improper Electronic Record Keeping

The Financial Industry Regulatory Authority said it fined Barclays PLC’s capital arm $3.75 million for failing to keep electronic records properly for at least 10 years. Finra said that from at least 2002 to 2012 Barclays Capital Inc. allegedly didn’t preserve many of its required electronic books and records, including order and trade ticket data, trade confirmations, account records and other items in the proper format. Business-related electronic records must be kept in a non-rewritable, non-erasable format, according to Finra and federal securities law. Finra said these issues were widespread across all of Barclay’s businesses, so the firm was unable to determine whether all records were kept in an unaltered condition or not. In addition, Barclays failed to keep certain attachments to emails sent via systems maintained by financial information provider Bloomberg LP between May 2007 and May 2010, along with 3.3 million Bloomberg instant messages between October 2008 and May 2010, the industry self-regulatory body said. Finra said that failure violates Securities and Exchange Commission, National Association of Securities Dealers and its own rules and regulations and affected Barclay’s ability to respond to electronic communications requests. Barclays also didn’t establish and maintain a system and written procedures to ensure compliance with SEC, NASD and Finra rules, Finra said. “Ensuring the integrity, accuracy and accessibility of electronic books and records is essential to a firm’s ability to meet its compliance obligations,” said Brad Bennett, Finra’s executive vice president and chief of enforcement. [WSJ.COM]


WW – RSA Denies Accepting US $10 Million from NSA to Use Faulty PRNG

RSA has denied allegations that it was paid US $10 million by the NSA to use a flawed PRNG (pseudo-random number generating) algorithm in its BSafe crypto library. According to a Reuters story, RSA’s use of the Dual Elliptic Curve Deterministic Random Bit Generator allowed the NSA to identify its use in government systems and push for its inclusion in the National Institute of Standards and Technology’s (NIST’s) Recommendation for Random Number Generation Using Deterministic Random Bit generators. In a blog post, RSA said, “we never have entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.” [The Register] [ZDNet] [BBC] [ArsTechnica] [ArsTechnica] [RSA Post]

WW – Researchers Steal Encryption Keys by Listening to Computer’s Sounds

Researchers have demonstrated that it is possible to steal RSA decryption keys simply by listening to the sounds a computer makes while running decrypt routines. The technique has limitations. It would be necessary to send thousands of encrypted messages to a system that opens the messages automatically. Also, the targeted key could not be password protected. [ArsTechnica] [The Register] [NBC News] [Research Paper]

EU Developments

EU – EDPS Releases 2014 Inventory

The European Data Protection Supervisor (EDPS) has released its 2014 inventory, a strategic planning document highlighting key areas of focus for the year ahead. “As the second mandate of the EDPS will come to an end in early 2014, it is appropriate to highlight that privacy and data protection have now become relevant in a wide range of EU policies,” said outgoing EDPS Peter Hustinx, adding, “The recognition of privacy and data protection as fundamental rights means that their delivery in practice must remain a high priority on the EU political agenda.” Among the key areas of strategic importance for 2014 are a new legal framework for data protection and rebuilding trust in global data flows. Full Story

EU – German Parliament Elects New Federal Data Protection Commissioner

With Peter Schaar leaving the position of German Federal Data Protection Commissioner on December 17 after 10 years of service, the coalition German government needed to nominate a replacement for confirmation in the Bundestag. On Thursday, they appointed Andrea Voßhoff, a member of the conservative-leaning Christian Democratic Union who served in the Bundestag from 1998 through 2013. Generally unknown to the privacy community, Voßhoff has received a negative initial reception from some privacy advocates: German MEP Jan Philip Albrecht strenuously objected to her nomination, saying on Twitter that her confirmation would amount to an “abolition” of the office. In this exclusive for The Privacy Advisor, Jörg Hladjk, counsel at Hunton & Williams and German-qualified attorney with a German PhD in privacy, expounds upon the three main challenges Voßhoff faces as she enters her five-year term. [Privacy Advisor]

EU – Yes, Consent Is Dead and Giving It a Central Role Is Dangerous

At the just-concluded IAPP Data Protection Congress in Brussels, the audience heard a bold proposal from closing keynote Viktor Mayer-Schönberger: “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” Contemporary ideas of notice and consent, he argued, are a farce. In this installment of Privacy Perspectives, Field Fisher Waterhouse Partner Eduardo Ustaran explores the role of consent, noting that EU data protection law is predicated on it. “But does this approach still hold true?” he asks. “Can we—as individuals—really have a meaningful degree of control over the vast amount of information we generate?” Full Story

EU – LIBE Committee: Suspend Safe Harbor, Create EU Cloud, Don’t Negotiate on Privacy

A preliminary conclusion by the European Parliament’s Civil Liberties Committee (LIBE) into the surveillance of EU citizens by the U.S. National Security Agency recommends that the parliament agree to a trade deal with the U.S. only if it does not mention data protection and that Safe Harbor be suspended, according to its website. Lead MEP Claude Moraes also recommended the “swift” creation of an EU data storage cloud and judicial redress for EU citizens to protect their data in the U.S. Meanwhile, the UN General Assembly unanimously adopted a resolution calling for protecting the right to privacy against unlawful surveillance, according to the Associated Press. The resolution calls on all 193 UN member states “to respect and protect the right to privacy, including in the context of digital communication.” Full Story

EU – Parliament Backs New Cloud Resolution

The European Parliament is backing a new cloud computing resolution “in response to actions the European Commission (EC) has set out under its cloud computing strategy.” The EC is engaging the European Telecommunications Standards Institute (ETSI) to help determine the new standards required for cloud services, the report states. In their resolution, MEPs welcomed ETSI’s participation, noting the standards “should enable easy and complete data and service portability, and a high degree of interoperability between cloud services, in order to increase rather than limit competitiveness.” The resolution also asks the commission to provide guidelines for businesses to “ensure full compliance with the EU’s fundamental rights and data protection obligations.” []

EU – CNIL Issues Cookie Guidance, Calls for Debate on “Surveillance Society”

The CNIL has released FAQs, along with technical tools, “providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements. “The CNIL’s guidance indicates that this obligation applies to website publishers, operating system and application publishers, advertising networks, social networks and website analytics solutions providers,” and “only certain cookies are exempt from the consent requirement under French data protection law,” the report states. Meanwhile, the CNIL’s Isabelle Falque-Pierrotin is calling for a national debate on the “surveillance society.” [Hunton & Williams’ Privacy and Information Security Law Blog]

EU – DPC Makes Headlines; Official Says Regulation Won’t Hurt Business

At the IAPP’s Data Protection Congress in Brussels, experts discussed the forthcoming European privacy requirements, which are “almost certain to slow the current headlong rush toward massive data collection, analysis, use and sale. European Commission Director of Fundamental Rights Paul Nemitz dismissed concerns that the regulation will hurt business, saying privacy will instead become a competitive advantage. quotes European Commissioner Neelie Kroes speech, delivered at the event by Kroes’ Head of Cabinet Constantijn van Oranje-Nassau, in favor of such reforms as companies being able to process pseudonymized data without consent, and U.S. Federal Trade Commissioner Julie Brill is defending the Safe Harbor program during the DPC’s opening session. [DataInformed] [Steelie Neelie: EU biz can use YOUR private data WITHOUT PERMISSION]

EU – Supreme Court Acquits Google Execs in Privacy Case

According to his personal blog, Google Global Privacy Counsel Peter Fleischer and two additional “Googlers” have been acquitted by the Italian Supreme Court of violating Italian privacy law. In 2010, an Italian court convicted the three employees for failing to comply with Italian privacy code in the case of a disparaging video of a young person that appeared online. “An eight-year legal saga has now come to an end,” wrote Fleischer, adding, “And although I have never met him, I hope that young man who was humiliated in the video that generated this case lives with dignity and happiness.” Fleischer also said the Supreme Court “will issue its written opinion in due course.” Full Story

EU – Ten Years and Two Terms Later, a Look at Peter Hustinx’s Legacy

European Data Protection Supervisor (EDPS) Peter Hustinx’s second five-year term ends this month, and a new leader will soon be appointed. It is worth taking time to note that those who live and breathe European data protection nearly universally agree Hustinx leaves behind both a sterling reputation and an agency that’s evolved into an influential and highly respected supervisory authority since its establishment in 2004. [The Privacy Advisor].

Facts & Stats

WW – Site Picks “Privacy” as Word of the Year, Tracks Users

Ashkan Soltani and Andrea Peterson report that has chosen “privacy” as its word of the year, citing, among other reasons for the pick, this year’s NSA revelations. “But it has a ring of irony due to the site’s particularly robust consumer-tracking efforts,” they write. The site places 90 cookies on visiting users’ computers and has the most “beacons”—software that can track what a user does on a given webpage—of any site studied in The Wall Street Journal’s 2010 investigation, the report states. [The Washington Post]


WW – Browser Extension Circumvents Internet Filters

A browser extension for Google Chrome help users get around the pornography-blocking filters that UK Internet service providers (ISPs) have been ordered to put in place. Last week, ISP BT announced that new customers will have the filters implemented by default, and that over the course of the next year, existing customers will be contacted and notified and given the option of activating the filters. The plan aims at protecting children from inappropriate content. However, the filters have already proven faulty, as they are allowing some pornography through while blocking websites that contain information about sex education and organizations that help abused women. [WIRED]


US – Senators Call for Consumer Financial Data Security Hearing in Wake of Target Breach

Three US senators have asked the Committee on Banking, Housing, and Urban Affairs to hold a hearing on the Target breach “as soon as reasonably possible.” The senators want to address the questions of whether or not marketplace entities “are taking all appropriate actions to safeguard consumer data and protect against fraud, identity theft, and other harmful consequences, and whether we need stronger industry-wide cyber security standards.” The senators want to discuss the possibility of accelerated adoption of EMV chip-based cards and they want to know if financial regulators “have the necessary tools, information, and authority to ensure that financial companies and service providers are doing enough to protect consumer data.” [SC Magazine] [Bank Info Security] [Senators’ Letter to the Committee]

US – Weak Credit Card Security Makes U.S. Prime Target for Data Breaches

The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target’s stores will get worse before they get better. That’s in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes. “We are using 20th century cards against 21st century hackers,” says Mallory Duncan, general counsel at the National Retail Federation. “The thieves have moved on but the cards have not.” In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it’s used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don’t bother. “The U.S. is the top victim location for card counterfeit attacks like this,” says Jason Oxman, chief executive of the Electronic Transactions Association. [Associated Press]


CA – Access Denied: How Perceived Info Blocking Has Dogged Tories in Newfoundland

Newfoundland Premier Kathy Dunderdale was defiant during a recent exchange in the legislature when she touted Newfoundland and Labrador as one of Canada’s most open governments. It’s a claim she has made repeatedly over the last 18 months after her Progressive Conservatives passed access to information changes that national accountability watchdogs called shockingly regressive. Amendments to the Access to Information and Protection of Privacy Act in June 2012 blocked release of ministerial briefing notes, increased protections for cabinet records, hiked fees and allowed ministers to reject requests as “frivolous” or “vexatious.” Accusations of secrecy have dogged the Tories ever since. Opposition Liberal Leader Dwight Ball says his first act if he wins the next election in 2015 would be to repeal those changes and launch a full review of access to government documents. He challenged Dunderdale in the house of assembly on Nov. 18 to overturn “the most secretive bill that this house has ever seen.” Dunderdale was unfazed. She cited a 2012 study on access to information by the Halifax-based Centre for Law and Democracy that found “we are open and transparent, far ahead of other provinces in this country … and the federal government,” she told the legislature. [The Canadian Press]

US – Verizon to Issue Transparency Report

Starting in 2014, Verizon will publish semi-annual transparency reports about government requests for information. Verizon will be the first US telecommunications company to publish a transparency report, which are already published by technology companies such as Google, Microsoft, and Facebook. Verizon was named in the first of the NSA documents leaked earlier this year, which revealed that the intelligence agency had been gathering large swaths of information from the company. [Washington Post] [ZDNet]

WW – Google’s Transparency Report Shows Sharp Increase in Takedown and Data Requests

Google’s most recent transparency report shows that the number of government takedown requests is increasing steadily. In the first half of 2013, Google received more than 3,800 requests from governments around the world to remove content they deemed defamatory, pornographic, or even just embarrassing. Google’s report indicates that it complied with fewer than half of the requests. According to the report, the number of government requests for user data is also increasing rapidly. The US government submitted more than 10,000 requests for information about 21,683 Google users. The data do not include requests for data made under Foreign Intelligence Surveillance Act programs. [Washington Post] [CNET]

EU – Spain’s DPA Fines Google $1.2M

Spain’s data protection authority (DPA) has fined Google $1.2 million (900,000 euros) for the illegal collection and use of consumers’ personal data. The company is charged with “three serious violations” by the DPA for not providing details “about what data it collects, what it uses it for and without obtaining a valid consent.” Google was fined 300,000 euros for each of the three violations and is required take the “necessary measures without any delay to comply with the legal requirements.” In a statement, Google said, “We’ve engaged fully with the Spanish (authority) throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services, and we’ll continue to do so,” adding “We’ll be reading their report closely to determine next steps.” [Bloomberg]

Health / Medical

US – Electronic Death Records Effective Influenza Surveillance Tool

The use of electronic death certificates may be an effective means of monitoring influenza outbreaks, according to new data. Unlike traditional methods of surveillance, an electronic death reporting system (EDRS) does not require medical records to track the severity of influenza seasons. Therefore, it requires fewer resources and would be less taxing on hospitals and public health personnel, researchers reported in Emerging Infectious Diseases. [Source]

CA – Pharmacist’s Facebook Request Broke Alberta’s Health Rules

A Calgary pharmacist shouldn’t have dug into a woman’s health information for “matchmaking” purposes, according to Alberta’s privacy commissioner. A casual employee at a pharmacy inside a southeast Calgary Shoppers Drug Mart contravened the province’s Health Information Act last year when he phoned and tried to Facebook “friend” a woman who had filed a prescription, said Jill Clayton. [CBC News]

Horror Stories

US – Target: PINs Were Stolen in Breach

Target now admits that PINs were stolen during a security breach of its in-store payment systems that affected 40 million accounts, but says that the data are encrypted. The PINs are reportedly encrypted at the keypads with Triple DES encryption; Target does not store or even have access to the key necessary to decrypt the data. [DarkReading] [ComputerWorld] [CNET] [CNN] [GovInfoSecurity] See also: [Target Payment Processor Denies it Was Breached] and [Is This Man Selling The Stolen Target Data?]

US – Target Breach Incites Action; Snapchat Is Latest High-Profile Breach Victim

Following the breach at Target affecting approximately 40 million consumers, Sens. Robert Menendez (D-NJ), Mark Warner (D-VA) and Charles Schumer (D-NY) have called for a Senate Banking Committee hearing to examine whether stronger industry-wide standards are needed and if all necessary actions are being taken to safeguard consumer data against fraud and identity theft. Missouri’s attorney general and a New York assemblyman are also looking into the breach, and a number of consumers have filed lawsuits. Meanwhile, a number of breaches spanning the globe affected healthcare providers, bankers and casino frequenters, among others that include private-texting provider Snapchat, which lost 4.6 million usernames and phone numbers. [The Privacy Advisor] See also: [Following hack, RegistratioNation discovers some customer data was inadvertently being stored on its server] [FL: Barry University notifies patients that records with personal, financial, and medical information may have been compromised] and [Woman finds her private information from rental application posted online]

WW – Snapchat Data Stolen; App Will Be Updated

A database of Snapchat 4.6 million usernames and some associated telephone numbers with the last two digits blurred has been posted online. The site where the stolen data were posted has been taken down. The people behind the attack say they exploited recent changes made to Snapchat to access the information. A message on Twitter from Snapchat CEO Evan Spiegel says that the company is “working with law enforcement [and] will update when we can.” [CNN] [ZDNet] [Washington Post] [The Register] [CNET] Update: Snapchat has announced that it will release an updated version of the app that will allow users “to opt out of appearing in Find Friends after they have verified their phone number.” The company said that it is also implementing other changes “to address future attempts to abuse our service.” [Source]

WW – Snapchat API and Exploits Published

Hackers have published Snapchat’s API (application programming interface) and exploit code for a pair of vulnerabilities that could be used to match phone numbers with usernames and create phony Snapchat accounts. The hackers say they released the information because Snapchat developers ignored their notifications about the vulnerabilities. [ArsTechnica] [Forbes] [ZDNet]

NZ – Huge Increase in IRD Privacy Breaches

Confirmed privacy breaches at Inland Revenue have jumped by almost 400% in the past year despite a crackdown after a spate of failings. In 2012 there were 32 separate privacy breaches but ONE News can reveal that has shot up to 151 incidents this year. The figures, obtained under the Official Information Act, show more New Zealanders’ confidential details are ending up in the wrong hands. And while the total number of people affected in the breaches has dropped from 6379 to 1158, hundreds more people are victims of serious breaches. In 2012, 638 people were caught up in three serious breaches while in 2013, 946 people were affected by 43 serious breaches where Inland Revenue has had to put security measures in place to protect people from identity theft. Labour’s revenue spokesperson David Clark said it’s a huge increase.”At this rate of increase pretty soon every New Zealander’s private banking data will be available to anyone that wants it and that’s a frightening prospect,” he said. [ONE News]

Identity Issues

US – Metadata Not Anonymous at All, Stanford Researchers Show

If you’re not concerned about government surveillance of your phone because the National Security Agency (NSA) only collects metadata, think again. A study from Stanford University shows that connecting “anonymous” metadata to compromising personal information is trivially easy. Documents leaked in June by former NSA contractor Edward Snowden revealed that the organization was collecting metadata about calls placed to and from Verizon telephone lines. Although this revelation was potentially troubling, metadata collection is, in theory, not cause for concern. The metadata about your phone calls does not reveal your name or identity, or the content of your conversations, but it does track the numbers you call, how long the calls last, and which other companies have your phone number in their directories.  Although the specific documents leaked in June concerned Verizon landlines, the NSA has since admitted that it collects metadata about mobile telephone calls and text messages as well. Sen. Dianne Feinstein (D-Calif.), who heads the Senate Intelligence Committee, has said that collecting metadata is “not surveillance.” Because the information, by itself, cannot identify individuals, Feinstein and the NSA hold that it is practically harmless for the government to collect it. A research team operating out of Stanford University disagrees, and hopes to prove its point with a new Android app called MetaPhone. By accessing your phone number and your Facebook page, this app does what any NSA program could do: It acquires your metadata, then correlates it with your social-media information to see how much it can learn about you.  [Tom’s Guide US]

BA – Bahamas: National ID Card Being Considered By Government

Immigration Minister Fred Mitchell said the Government is considering introducing a National Identification Card as well as charging persons who knowingly hire illegal immigrants in an effort to deal with the country’s long standing illegal migration problem. Mr Mitchell said in 2014 the issue of immigration will be “front and centre” on the government’s agenda. [The Tribune]

Internet / WWW

AU – Top Websites Pose Privacy Threat

Some of Australia’s most popular websites are also those that pose the greatest privacy threat, a new index created by University of Canberra cyber security experts has found. In an Australian first, the University’s Centre for Internet Safety has produced the 2013 Australian Online Privacy Index to rate the websites most visited by Australians. While Australian-based sites rank among the best, the majority are not compliant with changes to the Privacy Act which comes into force in March 2014. Co-director Alastair MacGibbon explained that to develop the index, the researchers looked at how websites collect, use, disclose, transfer and store customers’ personally identifying information.“This report demonstrates the majority of organisations are not ready for the new regulatory changes,” he said. The new index will allow consumers and regulators to assess the privacy implications of interacting with popular websites. It will also allow businesses to compare themselves with peers in their own sector, as well as to know how their sector fares against others. [The University of Canberra]

Law Enforcement

US – Commercial UAV Use in U.S. Takes Next Step Forward

While the use of unmanned aerial vehicles (UAVs) is regulated in various ways across the globe, the Federal Aviation Administration (FAA) still tightly controls their use in the U.S. Currently, only law enforcement operations and certain educational institutions, or those who’ve expressly received clearance, are allowed to use what have commonly come to be referred to as “drones.” However, CNN reports, the FAA approved six research sites in late December at which it will test the best ways in which to safely, and with consideration for privacy, bring UAVs into “the heavily used U.S. airspace.” In this roundup for The Privacy Advisor, we look at the latest news in the use of UAVs from the holiday season. [The Privacy Advisor] See also: [Unbelievably lenient sentence for cop who fingered suspects’ anuses]

CA – OPP first to Target Suspended Drivers Through Licence Plate Program

Driving with a suspended licence is about to get much riskier for drivers as the Ontario Provincial Police (OPP) become the first police service in Ontario and one of the first in Canada to target suspended drivers with their Licence Plate Recognition Program (ALPR). “Thanks to our continued partnership with the Ministry of Transportation Ontario (MTO) and the Ontario Information and Privacy Commissioner (IPC), our roads will be much safer now that we have the resources to remove the threat that suspended drivers pose to all road users. The additional 27 vehicles will allow us to scan thousands more plates every day over a broader geographic range in the province,” said OPP Deputy Commissioner Bill Blair, Provincial Commander of Traffic Safety and Operational Support. The OPP is also expanding its ALPR program to include an additional 27 ALPR equipped vehicles to its existing fleet of four which, according to the OPP, will make it more difficult for suspended drivers, drivers of stolen vehicles and other vehicles with plates in poor standing to drive undetected on Ontario roads and highways. “Our partnerships with the OPP and all our road safety partners have allowed us to lead the way with some of the most advanced road safety programs, tough laws and strong enforcement. This is why Ontario is a North American leader in road safety,” stated Glen Murray, Minister of Transportation and Minister of Infrastructure. “Ontario motorists expect to be protected from unsafe drivers, but also not to be tracked as they go about their daily lives. We are pleased to report that the OPP used a Privacy by Design approach in developing its Automatic License Plate Recognition system, and that when a scanned license plate does not match the list of unsafe drivers, it will be deleted from the system within minutes,” added Ann Cavoukian, Ph.D. Information and Privacy Commissioner, Ontario, Canada. Approximately 250,000 Highway Traffic Act licence suspensions are issued annually in Ontario. OPP ALPR vehicles now have access to an MTO database that contains all Ontario licence plates of vehicles whose registered owners’ driver’s licences are suspended.  [Ottawa Valley] [Ontario getting 27 vehicles equipped with Automatic Licence Plate Recognition program technology]


WW – Some Older Webcams Activation Indicator Lights Can be Disabled

Researchers at Johns Hopkins University have found that it is possible to disable activation indicator lights by modifying the firmware on some webcams on older Mac computers. The issue affects iSight webcams in Macs and MacBooks released prior to 2008. [Washington Post] [ComputerWorld] [CNET] [ArsTechnica] [iSpy: Prof finds some Apple webcams can be activated without warning light]

WW – A New Twist in International Relations: The Corporate Keep-My-Data-Out-of-the-U.S. Clause

By now, we’ve heard from tech companies such as Facebook, Google and Cisco Systems that the National Security Agency’s spying poses a threat to their international business and, in Cisco’s case, is already hurting it. So what does that threat look like, exactly, at ground level? Some companies are apparently so concerned about the NSA snooping on their data that they’re requiring – in writing – that their technology suppliers store their data outside the U.S. [Bloomberg]

Online Privacy

WW – Instagram Rolls Out Nuanced Photo-Sharing

Instagram Direct is a new messaging service that allows users to document granular parts of their day to clusters of friends. As our “notions of privacy are constantly evolving and, in many cases, being eroded altogether,” we are “learning how to cope by adapting ourselves and our sharing behaviors by deciding which version of ourselves to present based on the number of people who will be able to see it,” the report states, suggesting the new service seems to respond to that adaptation. [The New York Times] [Instagram Direct and the Fracturing of Privacy]

WW – Bilton: “Anyone Who Can Watch You Will”

Nick Bilton writes that amidst reports of online tracking, “outfits like Snapchat have exploded onto the scene … holding out the promise that all those selfies, texts and e-mails will simply vanish … But the fact is, many services that claim to offer that rarest of digital commodities—privacy—don’t really deliver.” Princeton Prof. Edward Felten weighs in, cautioning, “Just because information is unavailable to you and you don’t see it doesn’t mean that it is not being captured, stored or even seen by someone else in transit.” The ACLU’s Ben Wizner suggests “change can happen” if “technologists that are disillusioned by the incessant tracking will use their skills to make surveillance more costly.” [New York Times]

US – Are Your Books Reading You?

New services track our habits—including an exercise game that monitors our fitness and e-books that “read” us. For example, the report states, start-ups “get reading data from subscribers who, for a flat monthly fee, buy access to an array of titles, which they can read on a variety of devices. The idea is to do for books what Netflix did for movies and Spotify for music.” As one author put it, “What writer would pass up the opportunity to peer into the reader’s mind?” Meanwhile, Gregory Schmidt writes a column on his use of Nintendo’s Wii Fit Meter. The device “ clips on a belt or waistband and records your activity,” which can then be downloaded to the Wii U controller. [The New York Times]

Other Jurisdictions

WW – United Nations Signs Off on ‘Right to Privacy in the Digital Age’

The United Nations (UN) has unanimously voted to adopt a resolution calling for online privacy to be recognised as a human right. The gesture is politically notable because it shows the world is willing to be seen to do something in the wake of The Year Of Snowden. The resolution extends the general human right of privacy to the online world and clearly takes aim at the USA for its recently-revealed activities in clause 4, which “Calls upon all States” to perform the following actions.

a)      To respect and protect the right to privacy, including in the context of digital communication;

b)      To take measures to put an end to violations of those rights and to create the conditions to prevent such violations, including by ensuring that relevant national legislation complies with their obligations under international human rights law;

c)      (c)To review their procedures, practices and legislation regarding the surveillance of communications, their interception and collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law;

d)      To establish or maintain existing independent, effective domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception and collection of personal data;

Sadly, UN resolutions of this sort aren’t binding and can be flouted without consequence.

On the upside, the UN has explicitly recognised “that the same rights that people have offline must also be protected online, including the right to privacy” and noted that “the global and open nature of the Internet and the rapid advancement in information and communication technologies as a driving force in accelerating progress towards development in its various forms”. [The Register] [UK: Internet privacy as important as human rights, says UN’s Navi Pillay]

AU – Overview of the Australia Privacy Principles (APPs)

A guide to the new privacy landscape for the Commonwealth Government. Bottom Line: the amendments tighten up the rules around how agencies can collect, use and disclose personal information. For the first time, new Australian Privacy Principles will apply to both the private and public sectors. There is a new requirement for agencies to develop detailed privacy policies and make them clear and easily accessible. The Principles require a higher standard of protection to be afforded to “sensitive information”. The Privacy Commissioner will also be able to obtain enforceable undertakings from an organisation and apply to the court for a civil penalty order against agencies. The main changes to the Privacy Act result from the replacement of the current Information Privacy Principles (IPPs) with the Australian Privacy Principles (APPs). Importantly, the APPs align more closely with the current National Privacy Principles, which apply to the private sector, than the IPPs. [See Full Summary and discussion at: Mondaq News]

Privacy (US)

US – Judge Dismisses Challenge to Suspicionless Border Searches of Electronics

A federal judge in New York dismissed a suit brought by the ACLU in 2010 that challenged the Customs and Border Patrol’s authority to conduct searches of electronic devices at border crossings without reasonable suspicion. Judge Edward Korman said the likelihood of such a search was small and that there are procedures in place for privileged content, such as journalists’ sources and attorneys’ client communications. The second Bush administration established suspicionless electronics searches in 2008, adding them to the existing border search exemption that allows routine searches and seizures without a warrant or probable cause. The ACLU is appealing the ruling. [ComputerWorld] [Ars Technica] [NextGov] [WIRED] [ComputerWorld] [Decision] [Notice of Appeal]

US – FTC’s Accretive Settlement Means 20 Years of Audits

Medical billing and revenue management services firm Accretive Health has settled charges with the Federal Trade Commission (FTC) that its inadequate data security exposed sensitive consumer information. The FTC said the company, which had access to such sensitive data as birthdays, names, Social Security numbers and billing information, failed to provide “reasonable and appropriate” security measures to protect the data and failed to ensure employees destroyed data that was no longer needed. Accretive must now establish a comprehensive program to be audited every two years for the next 20 years. Meanwhile, FTC Commissioner Julie Brill has recused herself from the case against LabMD. [FTC Press Release]

US – NY Parents, Districts Worry About Database Privacy

Even as their students’ grades, attendance and other personal information are about to be fed into a new statewide database, district administrators and parents around New York say they remain unconvinced the information won’t creep out over time or hurt students later when they apply for college or work. There are also questions about why the database pulling together hundreds of pieces of information in one place is needed, and a key state lawmaker has called for delaying the process set to start after Jan. 1. New York has signed up with Atlanta-based inBloom, which has struggled to get other states to participate, to create a system that stores student information on servers in the so-called cloud, accessed through the Internet. It’s seen as a tool to track student progress, personalize instruction and identify students who may be in danger of not graduating. Parents can also check on how their children are doing. But weeks of assurances by the state Education Department still haven’t satisfied critics’ privacy concerns. About three dozen of the state’s 695 districts say they won’t use the portal, forfeiting their shares of more than $700 million in federal Race to the Top funding won in 2010 and tied by the state to the database. State lawyers are due to respond this week to a legal challenge by 12 New York City parents seeking to block the state from sharing student information for the database, which is expected to go live in March. [Associated Press]

US – Judge Finds Accounting Firm Stole From Cloud in Landmark Ruling

In a landmark ruling that could impact Internet data rights nationwide, a judge found a Midtown-based accounting firm liable for stealing information from the online storage system known as “the cloud.”  Manhattan Federal Judge Robert Sweet ruled that Weiser Capital Management took wealth manager Debra Schatzki’s valuable business records off the cloud without her permission and locked her out of her own database — a move that could cost the company millions of dollars when damages are decided at a civil trial next month. The valuable records included years of personal financial information for 12,300 of Schatzki’s clients, including high-net-worth real estate and architecture execs. Her lawyer believes the ruling last month may be the first time a judge has held someone liable for taking information from the cloud, and could have a sweeping impact because more and more people are using cloud tools such as Google Drive and Dropbox to store and share files. “By ruling as he did, Judge Sweet is protecting all businesses and individuals who elect to keep confidential materials on the cloud,” said Schatzki’s lawyer James Mahon. [NEW YORK DAILY NEWS] See also: [Ars Technica’s Four Tech Legal Cases to Watch in 2014]

US – Judge: Hulu Privacy Lawsuit Will Continue

A federal judge has ruled that a privacy lawsuit against video-streaming service Hulu must continue. U.S. Magistrate Judge Laurel Beeler rejected an argument submitted by the company that users must show actual injury to recover damages, even if they could be considered “aggrieved” persons under the Video Privacy Protection Act. The now-rejected argument by Hulu stated the law “was not adopted to impose multi-billion dollar liability on the transmission of anonymous data where no one suffers any actual injury.” Beeler ruled that “the statute requires only injury in the form of wrongful disclosure…” The judge did not rule on the merits of the case. Courthouse News Service reports that a summary judgment hearing is scheduled for February 6. [Reuters]

US – Coalition of Internet Firms Worried About NIST Framework

Some major Internet companies comprising the Internet Commerce Coalition say the National Institute of Standards and Technology’s proposed privacy framework would be “potentially burdensome,” therefore discouraging some organizations from adopting it. The final draft of the framework is to be released in February, and privacy is built into its requirements. The coalition says it favors a methodology developed by Hogan Lovells’ Harriet Pearson under which firms would be required to follow a more general scheme rather than the privacy appendix suggested in the framework now. [FierceGovernmentIT]

Privacy Enhancing Technologies (PETs)

AU – Privacy Issues in Designing Mobile Apps

The Office of the Australian Information Commissioner (OAIC) recently released a guide under the title “Mobile Privacy: A better practice guide for mobile app developers” (the Guide). The intention of the Guide is to assist app developers with building “privacy-friendly” apps to ensure better privacy practices and also ensure compliance with Australian privacy laws, both under the existing National Privacy Principles, and the incoming Australian Privacy Principles, which will commence from 12 March 2014. The Guide encourages developers to adopt a “privacy by design” approach that aims at building privacy and data protection up front, into the design specifications and architecture of the technology used as part of the app. Such an approach will ensure that privacy considerations are incorporated into each stage of app development. The Guide also sets out a number of “essentials” that an app developer should consider when designing their app. [] See also: [US FTC Says App Developers Must Shine More Light on How They Use Data]


US – DOE Inspector General’s Report Notes Lack of Patching as Contributing Factor to Breach

The US Department of Energy (DOE) system breached earlier this year was not kept current with patches. According to a report from the Office of Inspector General of DOE, “Critical security vulnerabilities in certain software supporting the management information system (MIS) application had not been patched or otherwise hardened for a number of years.” Database administrators may be reluctant to apply patches because they can have the added effect of introducing “behavioral changes.” [DarkReading] Background: | | ]

US – NSA Tailored Access Operations Unit Provides Specialized Hacking Services

According to a story published in German magazine Der Spiegel, a special NSA unit has a “catalog” of hacking tools that can be used to infiltrate systems and individual computers, steal data, plant backdoors, impersonate GSM base stations to intercept mobile phone calls, and perform a multitude of other high-end cyberespionage tasks. The unit, known as the Office of Tailored Access Operations (TAO), also reportedly hijacks Microsoft’s crash reporting system to help gain access to targeted machines. [Spiegel] [WIRED] [CS Monitor] [DarkReading] [ComputerWorld] SEE ALSO: [U.S., Russia Hold Cybersecurity Talks] See also: [Internet privacy to be key IT security topic of 2014]

WW – Researchers Create Malware Able to Jump Non-Connected Devices

Newly developed malware is capable of communicating between devices not connected to any active networks. The malware now threatens the “air gap” often used to protect data, the report states. Researchers were able to use the built-in microphones and speakers within PCs to establish communication via inaudible audio signals within a distance of 65 feet. The proof-of-concept software has been outlined in the Journal of Communications. In the report, the researchers said, “The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered.” [Ars Technica]

CA – Feds Sought to Ban USB Drives to Curb Risk of Privacy Breaches

Fearing it may lose sensitive information on First Nations peoples, the Department of Aboriginal Affairs decided earlier this year to ban the use of USB keys to transport data — then realized instituting the new rule without an alternate plan was doomed to fail. That conclusion came after a security blitz in March that found “vulnerabilities that needed to be addressed” within the department, according to a briefing note to the deputy minister. That briefing note went on to say that a ban on the use of portable data devices “is known,” but enshrining it in policy was no simple task. “Issuing direction before it can be enforced and before the tools are available to support compliance, encourages people to disregard it. This increases the risk of intentional breaches,” the note says. [Calgary Herald]


US – NSA Developed Backdoor for iPhones

A news story in German magazine Der Spiegel said that NSA spyware known as DROPOUTJEEP can give anyone using it access to most everything on infected iPhones. The tool harvests text messages and voicemail and is capable of switching on the device’s microphone and camera remotely. Apple has denied that it worked with the NSA to put the backdoor in iPhones. In a statement to the Wall Street Journal, Apple officials said. “Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products.” [NBC News] [SC Magazine] [ZDNet] [CNET] [ComputerWorld] SEE ALSO: [Backdoor in Certain Combination Wireless Router/DSL Modems] see also: [Companies Investigating Reports of NSA Backdoors in Their Products]

US – NSA Intercepts Computer Deliveries, Says Report

A German magazine lifted the lid on the operations of the NSA’s hacking unit, reporting that American spies intercept computer deliveries, exploit hardware vulnerabilities, and even hijack Microsoft’s internal reporting system to spy on their targets. Der Spiegel’s revelations relate to a division of the NSA known as Tailored Access Operations, or TAO, which is painted as an elite team of hackers specializing in stealing data from the toughest of targets. Der Spiegel said TAO had a catalogue of high-tech gadgets for particularly hard-to-crack cases, including computer monitor cables specially modified to record what is being typed across the screen, USB sticks secretly fitted with radio transmitters to broadcast stolen data over the airwaves, and fake base stations intended to intercept mobile phone signals on the go. The NSA doesn’t just rely on James Bond-style spy gear, the magazine said. Some of the attacks described by Der Spiegel exploit weaknesses in the architecture of the Internet to deliver malicious software to specific computers. Others take advantage of weaknesses in hardware or software distributed by some of the world’s leading information technology companies, including Cisco Systems, Inc. and China’s Huawei Technologies Ltd., the magazine reported. Der Spiegel cited a 2008 mail order catalogue-style list of vulnerabilities that NSA spies could exploit from companies such as Irvine, California-based Western Digital Corp. or Round Rock, Texas-based Dell Inc. The magazine said that suggested the agency was “compromising the technology and products of American companies.” Old-fashioned methods get a mention too. Der Spiegel said that if the NSA tracked a target ordering a new computer or other electronic accessories, TAO could tap its allies in the FBI and the CIA, intercept the hardware in transit, and take it to a secret workshop where it could be discretely fitted with espionage software before being sent on its way. Intercepting computer equipment in such a way is among the NSA’s “most productive operations,” and has helped harvest intelligence from around the world, one document cited by Der Spiegel stated. One of the most striking reported revelations concerned the NSA’s alleged ability to spy on Microsoft Corp.’s crash reports, familiar to many users of the Windows operating system as the dialogue box which pops up when a game freezes or a Word document dies. The reporting system is intended to help Microsoft engineers improve their products and fix bugs, but Der Spiegel said the NSA was also sifting through the reports to help spies break into machines running Windows. [Der Spiegel]

US – If NSA Can’t Store Phone Data, Who Will?

Following the revelation that the NSA has been storing vast quantities of phone call metadata and a federal judge’s opinion that the practice is “almost certainly” unconstitutional, the government is considering alternatives to the agency holding the data. Some have suggested requiring the phone companies themselves to retain the data and requiring that the NSA meet strict guidelines when requesting to look at them, but that involves expense and puts the telecoms in the position of being the target of data breaches. Furthermore, unless the data retention arrangement was clearly specified to be for counterterrorism purposes only, the companies could find themselves receiving data requests from federal agents as well as state and local governments. A proposal that would establish a third-party entity to retain the data poses similar problems; as one unnamed senior Senate aide observed, “You’d have to demonstrate why that organization having those records provides any less privacy concern than giving it to the NSA, which operates under very strict privacy guidelines.” [Washington Post] SEE ALSO: [How the Grinch steals Christmas — he tracks your kid online] and [‘Tis the season: Retailers collecting customer data to boost sales]

US – Opinion: Nation Needs Reforms

In an op-ed piece, members of the President’s Review Group on Intelligence and Communications Technologies, appointed in August, write that “the nation needs a package of reforms that will allow the intelligence community to continue to protect Americans, as well as our friends and allies, while at the same time affirming enduring values, involving both privacy and liberty.” The group has made 46 recommendations to President Barack Obama. Another NYT article discusses the repercussions if Obama adopts the advisory group’s most far-reaching recommendations, which may “go a long way toward determining the legacy of his presidency.” Meanwhile, author David Eggers says U.S. writers must take a stand on U.S. surveillance. [New York Times]

US – NSA Review Panel Urges Major Oversight, Some Restrictions

A review panel of outside intelligence and legal experts on Wednesday released its report to President Barack Obama recommending increased oversight and some restrictions on the National Security Agency (NSA) surveillance programs. Among the 46 recommendations, the panel urged Obama to restructure the NSA’s metadata collection program by having telecommunications companies or a private consortium hold the data and only share it after the agency provides an approved court order “for queries and data mining.” The panel also recommended the agency halt its practice of creating “backdoors” into hardware and software as a secret way to manipulate devices and online systems. Sen. Ron Wyden (D-OR) said, “This has been a big week for the cause of intelligence reform,” and the Center for Democracy and Technology’s Greg Nojeim called the report “remarkably strong.” Obama reportedly said he was “open to many” of the recommendations. [The New York Times] [Analyzing the NSA Review Panel Report]

US – Federal Judge Rules NSA Program Likely Unconstitutional

A federal judge has ruled that the U.S. National Security Agency’s phone metadata collection program is likely unconstitutional. U.S. District Court Judge Richard Leon, an appointee of former President George W. Bush, said the program appears to violate the Fourth Amendment and the Justice Department has not successfully demonstrated that the program has thwarted terrorism. This roundup for The Privacy Advisor looks into the ruling and gathers together media reactions. [Politico]

US – Judge Rules NSA’s Data Collection is Legal

A federal judge in New York has ruled that the NSA’s wholesale collection of phone call metadata is legal. US District Judge William Pauley said the data collection is allowed under Section 215 of the Patriot Act, because telecommunications companies collect the data. The ruling comes in a lawsuit brought by the American Civil Liberties Union (ACLU), which challenged the NSA’s data collection program. In contrast, a ruling from another district judge earlier this month described the program as “likely unconstitutional.” [CNET] [ArsTechnica] [The Register] [RULING] See also: [The most Kafkaesque paragraph from today’s NSA ruling]

US – NSA Data Gathering Cases Raise Question of Legal Precedent’s Validity in the Digital Age

The two diametrically opposed opinions on the legality of the NSA’s telephony metadata collection raise the question of whether a 34-year-old US Supreme Court ruling applies in the case. In 1979’s Smith v. Maryland, US Supreme Court found that people do not have a “reasonable expectation of privacy” for information that they have voluntarily disclosed to a third party. Last week, US District Judge William Pauley ruled that the precedent does apply and that the NSA’s data collection program is legal. However, several weeks ago, US District Judge Richard Leon wrote, “When do present-day circumstances … become so thoroughly unlike those considered by the Supreme Court thirty-four years ago that a precedent like Smith does not apply? The answer … is now.” [The Atlantic]

US – Tech Giants Meet with Obama, Talk NSA

A high-level meeting took place between President Barack Obama and chief executives from 15 of the country’s largest technology companies to discuss, in part, National Security Agency (NSA) surveillance programs. In a post-meeting statement, the executives said they urged Obama “to move aggressively on reform…” They also raised concerns that foreign countries, such as Brazil, may prevent user data from flowing to the U.S., which could hurt the executives’ businesses as well as the U.S.’s start-up economy. Though the White House made no commitments, it reportedly expressed sympathy with the web companies’ call for more transparency about government requests for user data, and it told the executives that government action to reform NSA surveillance would happen in the new year, the report states. Meanwhile, Bloomberg reports Monday’s ruling on the NSA could move to the Supreme Court. [The New York Times]

Telecom / TV

UK – Kate Middleton & Prince Harry’s Phones Hacked, Court Hears

Rupert Murdoch’s ‘News of the World’ intercepted Kate Middleton and Prince Harry’s voicemails, prosecutors alleged in a London court. Kate Middleton and Prince Harry had their phones hacked by Rupert Murdoch’s biggest selling newspaper, a court in London heard. It is the first time the Murdoch media empire has been accused of illegally accessing the phone of a member of the royal family: previous allegations have centered on the hacking of phones used by royal aides. The now-shuttered Sunday tabloid, the News of the World, is accused of accessing Middleton’s voicemails to gain embarrassing personal details about her and Prince William. [The Daily Beast]

US Government Programs

US – 2014 National Defense Authorization Act Attempts to Address Cybersecurity Issues

The newly-passed US 2014 National Defense Authorization Act increases funding for CyberCom (US military’s Cyber Command) but the organization still lacks clarity about the rules of cyber engagement and is struggling with finding enough talented people. The bill also requires federal agencies to develop “intelligence, law enforcement, and financial sanctions” mechanisms to “suppress the trade in cyber tools and infrastructure that are or can be used for criminal, terrorist, or military activities while preserving the ability of governments and the private sector to use such tools for legitimate purposes of self-defense.” Legislators are particularly concerned about zero-day vulnerabilities being sold on the black market. The bill also requires the administration to develop “principles for controlling the proliferation of cyberweapons that can lead to expanded cooperation and engagement with international partners.” The bill does not, however, define “cyberweapon.” [NextGov] [Politico] [Politico]

US – Can Plaintiffs’ Lawyers Fill the DPA Role?

Recent Privacy Perspectives blog posts have discussed whether the Federal Trade Commission (FTC) and state attorneys general serve as de facto data protection authorities in the U.S. “Both sides are correct,” writes Jeff Kosseff, CIPP/US, “The FTC and state attorneys general help set the general requirements for privacy and data security, just as DPAs do in Europe.” Kosseff, a privacy and communications associate for Covington & Burling, writes, “But another group is playing a role in the shaping of U.S. privacy and not always in a way that benefits society.” In this installment of Perspectives, Kosseff points out that “the priorities of plaintiffs’ lawyers differ from those of independent government data protection authorities” and that “some have argued that class-action lawyers often lead to settlements that provide substantial attorneys’ fees for plaintiffs’ counsel and very little for individual class members.” [Source]

US Legislation

US – What Will 2014 Hold for the NSA and Snowden?

The tail end of 2013 brought with it continued news and reaction to the disclosures of the U.S. National Security Agency’s (NSA) surveillance programs by former contractor Edward Snowden. Perhaps most significantly, a U.S. federal judge on Friday December 27 ruled the NSA’s bulk collection of metadata on phone calls was legal. The ruling came less than two weeks after another federal judge came to virtually the opposite conclusion. In this roundup for The Privacy Advisor, we gather together the major developments and opinion stemming from Snowden’s disclosures and what may lay ahead in for the NSA in 2014. [Full Story] See also: [Snowden’s Christmas message: Privacy counts] [Snowden in open letter: NSA’s indiscriminate spying is ‘collapsing’] [2013 Privacy Law Review] [The Year’s Top 10 Stories in The Privacy Advisor] [The Year’s Top 10 Privacy Perspectives Posts] and [Five Interviews Shed Light On What Is Going On Inside NSA] [2013 a big year for privacy? You ain’t seen nothing yet!] [The NSA and the Corrosion of Silicon Valley] [2013 is the year that proved your ‘paranoid’ friend right] and [The Dumbest Privacy Cases Of 2014 and Is Privacy Law Stupid?]

US – U.S. Court Strikes Down Drug Screening for Welfare Recipients

U.S. District Court Judge Mary Scriven has deemed unconstitutional a Florida law requiring welfare recipients to submit to drug screening. The law went into effect in July of 2011, but in October the 11th Circuit Court issued a temporary injunction. While the state fought the injunction, this latest ruling agreed with the 11th Circuit that “There is nothing so special or immediate about the government’s interest in ensuring that TANF recipients are drug free so as to warrant suspension of the Fourth Amendment.” Gov. Rick Scott has vowed to appeal the decision. [The Miami Herald]

WW – Expect APEC Privacy “Stocktake” in 2014

Australia Privacy Commissioner Timothy Pilgrim has said officials charged with developing a privacy policy for the Asia-Pacific Economic Cooperation (APEC) are planning a “stocktake” of the APEC Privacy Framework. Pilgrim also said APEC’s Data Privacy Subgroup will work with the EU to map the APEC’s Cross Border Privacy Rules system with the EU binding corporate rules system. “The idea there is to see if they can identify any gaps for the purposes of possible future interoperability between the systems,” Pilgrim said, adding, “The next step is to sit down and identify where are the similarities and where are the gaps if we want to try to move to interoperability.” [Bloomberg BNA]

US – Judge: Hulu Privacy Lawsuit Will Continue

A federal judge has ruled that a privacy lawsuit against video-streaming service Hulu must continue. U.S. Magistrate Judge Laurel Beeler rejected an argument submitted by the company that users must show actual injury to recover damages, even if they could be considered “aggrieved” persons under the Video Privacy Protection Act, Reuters reports. The now-rejected argument by Hulu stated the law “was not adopted to impose multi-billion dollar liability on the transmission of anonymous data where no one suffers any actual injury.” Beeler ruled that “the statute requires only injury in the form of wrongful disclosure…” The judge did not rule on the merits of the case. Courthouse News Service reports that a summary judgment hearing is scheduled for February 6. Full Story

US – TN Sen. Proposes Cellphone Privacy Bill

Tennessee State Sen. Mae Beavers (R–District 17) has proposed a bill that would require police to acquire a warrant before collecting cell phone data including the number dialed, from where and at what time. Tthe bill is similar to a drone surveillance law passed recently. “If you don’t get a search warrant, you can’t use it as evidence. So hopefully this will sail right through as a privacy issue to protect the innocent,” said Beavers. [WREG]

US – Kids Online Privacy Workgroup Submits Final Report

After six month of discussions, Maryland Attorney General Douglas Gansler submitted the final report of the Workgroup on Children’s Online Privacy Protection offering suggestions for better protecting children’s personal information online. The report proposes requiring the encryption of sensitive information collected from children and updating state statutory definitions of personal information, among other recommendations. The Maryland House Economic Matters Committee and the Senate Finance Committee will review the report. [Legal Newsline]

US – Sen. Proposes Employee Credit Privacy Bill

Sen. Elizabeth Warren (D-MA) has introduced the Equal Employment for All Act, which would prohibit employers from requiring job applicants to disclose their credit history as part of the application process, repots International Business Times. Warren says the practice stacks the deck against poorer workers and can create a vicious cycle. Norm Magnuson, vice president of public affairs for the Consumer Data Industry Association says the organization supports the use of credit reports in qualifying potential employees, adding that in some cases the reports could show a pattern of irresponsible behavior.

US – How CalOPPA Changes Affect the App Industry

This article from Wired outlines the impact recently passed amendments to the California Online Privacy Protection Act will have on the app industry. The provision stating that publishers must “disclose whether third parties may collect Personally Identifiable Information over time from different websites” poses particular concern to app developers because of their methods of tracking users. The report also states, “Browser and app developers need to decide what ‘Do-Not-Track’ signals their products should offer and how to communicate the functionality to consumers and operators of commercial websites or online services.”

US – Congresswoman Pushes for Health Exchange Notification Law

Rep. Diane Black (R-TN) has introduced legislation to require the government to notify individuals if their personal information is breached through the Affordable Care Act’s insurance exchanges. H.R.3731 is part of a larger partisan campaign maintaining that “the exchanges are putting personal data at risk.” [National Journal]

US – Ohio Passes Student Data Privacy Bill

The Ohio House of Representatives has passed HB 181, legislation that prohibits schools from sharing students’ personal information with any federal, state or local entity without school board authorization, except in certain circumstances. The law also requires the state department of education to publish data inventory policies and procedures yearly as well as provide data collection information to the General Assembly. [The Perry Tribune]

US – Two Education Privacy Bills Pass Committee in Wyoming

The Select Committee on Education Accountability has approved two bills sponsored by Sen. Bill Landen (R-Casper) involving the state’s Department of Education. The first would create a provision in the current law barring it from committing the state to “federal oversight or regulation” and also giving it the “authority to develop an education program without excessive oversight.” The second requires the department’s directors and those of the Department of Enterprise Services to develop a data security plan and contains language used in other state’s student privacy laws. [Star-Tribune]

US – Will GAO Report Spur Action from Congress?

Last year, U.S. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) asked the Government Accountability Office (GAO) to investigate privacy issues pertaining to companies that collect, aggregate and sell personal information about consumers. In late November, the GAO publicly released the resulting report, “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace.” The report recommends that Congress “consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information.” Rockefeller is expected shortly to issue his own report on the topic, and the Federal Trade Commission is also preparing a report expected in early 2014. In this exclusive for Privacy Tracker, the Hogan Lovells privacy team looks at what the GAO examined and, in the short term, how Congress might respond to the GAO’s findings and, when they are published, Rockefeller’s. Are stronger consumer privacy protections on the way?  Full Story

US – Federal Judge Rules NSA Program Likely Unconstitutional

A federal judge has ruled that the U.S. National Security Agency’s phone metadata collection program is likely unconstitutional. U.S. District Court Judge Richard Leon, an appointee of former President George W. Bush, said the program appears to violate the Fourth Amendment and the Justice Department has not successfully demonstrated that the program has thwarted terrorism. This roundup for The Privacy Advisor looks into the ruling and gathers together media reactions. [Full Story] [Politico]

US – Unpacking the Klayman v. Obama Decision

On December 16, the District Court in the District of Columbia issued an opinion finding that the National Security Agency’s (NSA) surveillance program was likely unconstitutional. In Klayman v. Obama, five plaintiffs sued a variety of government officials and private companies seeking preliminary injunctive relief based upon the assertion that the NSA program was unconstitutional and violated other statutes. In what ended up making big news, the court concluded there was a substantial likelihood the plaintiffs would prevail on their Fourth Amendment claims and issued an injunction. In this Privacy Tracker blog post, Andrew Serwin unpacks the court’s decision. Full Story

US – Can Plaintiffs’ Lawyers Fill the DPA Role?

Recent Privacy Perspectives blog posts have discussed whether the Federal Trade Commission (FTC) and state attorneys general serve as de facto data protection authorities in the U.S. “Both sides are correct,” writes Jeff Kosseff, “The FTC and state attorneys general help set the general requirements for privacy and data security, just as DPAs do in Europe.” Kosseff, a privacy and communications associate for Covington & Burling, writes, “But another group is playing a role in the shaping of U.S. privacy and not always in a way that benefits society.” In this installment of Perspectives, Kosseff points out that “the priorities of plaintiffs’ lawyers differ from those of independent government data protection authorities” and that “some have argued that class-action lawyers often lead to settlements that provide substantial attornies’ fees for plaintiffs’ counsel and very little for individual class members.” Full Story

US – Sen. Tells Data Broker Industry They’re On Notice

In a Senate Commerce Committee hearing, Sen. Jay Rockefeller (D-WV) had harsh words for the consumer data broker industry. “We have a feeling people are getting scammed or screwed,” he said. The hearing focused on the use of consumer marketing data and followed the release of Rockefeller’s report on the industry, which said that Acxiom, Epsilon and Experian were not as forthcoming with their answers to Rockefeller’s investigation as he would have liked. Rockefeller warned he may use more forceful means of getting them to share such insights. Experian Senior VP of Government Affairs and Public Policy Tony Hadley defended his company’s practices and said it has safeguards to ensure bad actors do not get consumer lists. In chilling testimony, the World Privacy Forum’s Pam Dixon discussed some of the disturbing use of data, including the selling of rape victim lists, home addresses of police officers and names of those with genetic illnesses. Rockefeller said the committee will continue to shine a spotlight on the industry. [AdAge]

Workplace Privacy

WW – Recruiters Mining Medical Data to Target Subjects

Healthcare companies are probing readily available information from data brokers, pharmacies and social networks in order to recruit patients for clinical trials. Blue Chip Marketing Worldwide, for example, found patients to experiment with an obesity drug by targeting people who presumably live sedentary lifestyles, such as those who subscribe to premium cable TV or eat at fast-food chains frequently, the report states. ”We are now at a point where, based on your credit-card history … we can get a very, very close read on whether or not you have the disease we’re looking at,” said a spokesman from one pharmaceutical product development company. [The Wall Street Journal]

US – On The 10th Day Of Privacy, My Employer Gave To Me …..

As use of social media and other technologies continue to raise serious employment-related privacy issues in the workplace, expect to see a flurry of activity in 2014 from federal and state legislatures, administrative bodies and courthouses throughout the country addressing those issues.  Here are five developments that we are monitoring (pun intended) as we enter the New Year.

1. The Law Starts to Catch up With the Technology

2. So Tell Us Your Honor, What Do These Laws Mean?

3. Your Greatest Strength May Be One of Your Biggest Weaknesses

4. Wait, Our Employees work in an office not in a factory, what’s the NLRB doing here?

5. When did We Start Living in the World of George Jetson? [Mondaq News]

CA – BYOD: It Can Be Privacy and Security Protective

On December 11, 2013, Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, and TELUS released a new whitepaper applying the principles of Privacy by Design to employee owned devices in the workplace. The whitepaper, entitled “Bring Your Own Device: Is Your Organization Ready?”, sets out a five-step process for developing and implementing a BYOD program.:

  1.       Step One: Establishing Requirements – End-User Segmentation. This involves identifying user needs.
  2.       Step Two: Technology Alignment and Device Choice. This involves aligning permitted devices to user needs and operational considerations, as well as the level of access permitted based on the device characteristics.
  3.       Step Three: Policy Development. In this step, the organization is to develop policies and procedures governing information security, monitoring, privacy, guidance on the use of wifi, termination of employment and other issues engaged by BYOD.
  4.       Step Four: Security. This step requires the organization to evaluate existing and implement additional administrative, technical and physical security controls to enhance or maintain the security of the organization’s IT infrastructure and the integrity and privacy of personal information.
  5.       Step Five: Support. In this final step, an organization to have a plan to support employees, including with respect to lost or misplaced devices.

[Mondaq News] See also: [BYOD – It can be privacy protective from Dentons] and [BYOD Participation Agreement from Dentons]

US – BYOD Became the ‘New Normal’ in 2013

A shift in the adoption of bring-your-own-device (BYOD) policies in 2013. A poll taken in January found that three of four respondents had a program in place, but two-thirds had an “anything goes” philosophy. This year, CIOs began shifting IT department cultures to embrace mobile apps in an effort to manage BYOD. “The education cycle by the vendors and analysts began to sink in,” said one expert. “Line of business managers don’t want this liability on their hands.” [Computerworld]

NZ – New Duty to Disclose Health Conditions To Employers

Employees will have to tell their employers if they have medical conditions or are taking prescription drugs that affect their productivity or expose others to harm, under provisions in a proposed bill. The Employment Relations (Safe and Healthy Workplaces) Amendment Bill is the work of police officer and anti-drugs crusader turned MP Mike Sabin. The bill would provide a legislative framework with clear obligations for employees and employers when it comes to workplace safety and drug and alcohol use. There is currently no legislative framework to guide employers and employees when managing health, safety and productivity concerns stemming from the direct and indirect effects of drug and alcohol use, Mr Sabin says. “The aim here is not to infringe on privacy or the rights of the individual…it’s simply to be able to identify a hazard and manage it,” Mr Sabin says. In the US, problems with prescription drugs are on the increase, he says. New Zealand is typically five years behind US drug-use trends and Mr Hilson hopes this bill would get introduced before prescription drug abuse becomes a bigger.  []

EU – Revelations That Ikea Spied on Its Employees Stir Outrage in France

A regional court in Versailles, near Paris, is examining whether Ikea executives in France broke the law by ordering personal investigations of hundreds of people over the course of a decade. A review of the court records by The New York Times indicates that Ikea’s investigations were conducted for various reasons, including the vetting of job applicants, efforts to build cases against employees accused of wrongdoing, and even attempts to undermine the arguments of consumers bringing complaints against the company. The going rate charged by the private investigators was 80 to 180 euros, or $110 to $247, per inquiry, court documents show. Between 2002 and 2012, the finance department of Ikea France approved more than €475,000 in invoices from investigators. The case has caused public outrage in France, not only because of the company’s large consumer following in this country — Ikea’s third-largest market after Germany and the United States — but because the spying cases occurred in a country that, in the digital age, has elevated privacy to a level nearly equal to the national trinity of Liberté, Égalité and Fraternité. [The New York Times]



01-15 December 2013


US – NTIA Announces Facial Recognition Meeting Schedule

An announcement in the Federal Register details the National Telecommunications and Information Administration (NTIA) series of eight meetings related to the “Consumer Data Privacy Code of Conduct” on facial recognition technology first reported last week . The meetings will be held in Washington, DC, and will be open to the public. The report includes the dates of the eight meetings, beginning with one on February 6 aimed at beginning a “factual, stakeholder-driven dialogue regarding the technical capabilities and commercial uses of facial recognition technology.” The NTIA plans to circulate a draft for public comment following the last meeting on June 24. [Government Security News]

US – Next NTIA Project to Focus on Facial Recognition

The National Telecommunications and Information Administration (NTIA) announced it is launching a new multi-stakeholder process that will focus on the commercial use of facial recognition technology. While the technology has potential for innovative use that could improve services for consumers, writes Department of Commerce Assistant Secretary for Communications Lawrence Strickling, “the technology poses distinct privacy challenges. Digital images are increasingly available, and the importance of securing faceprints and ensuring consumers’ appropriate control over their data is clear.” The NTIA, which most recently used the multi-stakeholder process to release a code of conduct to improve privacy notices on mobile devices, will convene the first meeting to explore privacy safeguards for facial recognition technology on February 6 at 1 p.m. The public and all stakeholders are invited, and the meeting will be webcast. [NTIA]


CA – Denham Calls for Amendment to Law; Ring Voices Concerns

Citing concerns that public entities are not doing enough to raise awareness of possible health, safety and environmental concerns, BC Information and Privacy Commissioner Elizabeth Denham is recommending the government amend the Freedom of Information and Protection of Privacy Act. In a report released this week, Denham raises concerns that public bodies are not aware of or trained in their duty to inform residents of potential dangers. Separately, the CEO of a health research firm is cautioning that privacy concerns in BC limit researcher access to data for healthcare innovations. And in Newfoundland and Labrador, Information and Privacy Commissioner Ed Ring is concerned the province’s premier’s office “improperly withheld” documents related to search and rescue efforts. [Times Colonist]

CA – Report: Supreme Court Ruling Suggests All Data Is Not Equal

In a complex ruling, the Supreme Court of Canada has found that data stored on a hard drive “is not equal to the same material stored in a filing cabinet.” The case, which involved a man’s conviction for growing marijuana, is what the Canadian Bar Association’s called “a marker (in the ground) for digital privacy law in Canada,” the report states, noting the man’s lawyer “succeeded in convincing the justices that computers are ‘stand-alone places’ that require specific search warrants.” [SC Magazine]

CA – Bertrand Denies Support of Data-Sharing Bill

New Brunswick Privacy Commissioner Anne Bertrand has said she did not give the government input or support for a proposed government data sharing bill. Earlier in the week, the education minister said Bertrand had supported Bill 23—a bill that would make it easier for government agencies to share personal information. In a letter to Speaker Dale Graham, Bertrand wrote, “With respect, I was surprised to hear the minister’s comments to this effect, as her comments do not accurately reflect the nature of the discussions that took place between our office and department officials on this matter.” [CBC News]


WW – World’s Leading Writers Demand “Digital Bill of Rights”

More than 500 of the world’s top writers have banded together to condemn the scale of government surveillance around the globe. The signatories, including five Nobel Prize winners and authors from 81 different nations, are urging the United Nations to create an international, digital bill of rights. The move comes just a day after eight of the globe’s largest tech companies called for limits to state surveillance. The recent revelations about the extent to which governments spy on individuals has undermined the human right to “remain unobserved and unmolested … This human right has been rendered null and void through abuse of technological developments by states and corporations for mass surveillance purposes,” the statement says. “A person under surveillance is no longer free; a society under surveillance is no longer a democracy,” it adds. [The Guardian]

US – Study: Smartphone Users Will Pay More for Privacy

A study by University of Colorado Profs. Donald Waldman and Scott Savage has found “average smartphone users are willing to pay a few dollars for mobile apps that maintain privacy.” The team surveyed 1,726 people from seven U.S. cities, finding “consumers are willing to pay $4.05 to conceal contact lists, $3.58 to conceal the contents of text messages, $2.28 to shield browser history, $1.75 to block the phone’s ID number and $1.19 to conceal personal locations,” the report states. “We wanted to put a number out there,” Savage said. “Instead of saying what you feel or anecdotally thinking privacy is important, let’s put a number on it. Then people can have a real discussion.” [Daily Camera]

WW – Customized Airline Deals Raise Privacy Concerns

Industry reports that airlines are looking to roll out customized airfare packages for consumers based on collected data that could include income, home location and travel patterns. They are raising privacy concerns among some consumer advocates and have received the attention of the U.S. Department of Transportation (DoT). A spokeswoman for Airlines for America said, “We expect to see more airlines adopt this trend in commerce as they continue to offer passengers a more personalized travel experience.” However, Consumer Travel Alliance’s Charles Leocha said, “It will be the death of comparison shopping.” The DoT is scheduled to meet on Monday to discuss airfare pricing and could recommend federal legislation requiring airlines to disclose what data they’ve collected on travelers, the report states. [L.A. Times]

US – Many Stores Tracking Shoppers This Holiday Season

U.S. retailers are putting small tracking devices to work monitoring shoppers and their cellphones, to “tally how long people wait in line and where they shop.” The Future of Privacy Forum (FPF) has estimated “about 1,000 retailers, from tiny boutiques to Macy’s Inc., have outfitted their aisles with sensors to monitor shoppers’ paths,” the report states. While FPF has asked retailers to notify shoppers they are using such technology—and eight makers of tracking devices asked their clients to post such disclosures, the report notes, “the idea went nowhere with retailers.” Other retailers, meanwhile, have cited privacy concerns as their reason for holding off on using tracking technology, and some customers have complained about such practices as stores using WiFi signals to track customers through their cellphones. [The Wall Street Journal]

UK – Just 9% of Customers Have Faith Brands Will Secure Their Data

Japanese IT firm Fujitsu has released findings of a survey of 3,000 UK consumers that found just nine percent “have any faith in organizations to protect their data.” Further, 20% said they would inform police of a data loss, considering it a criminal offense, and 63% said they do not want companies to use their data to improve their experience with the company. “The results of our research showed consumer tolerance for data loss is at an all-time low,” said Fujitsu, Chief Security Officer, UK & Ireland David Robinson. Research was conducted by OnePoll, an independent research consultancy based in London. The consumers in the UK completed an online survey in October. [Fujitsu]

WW – Getting to Simpler, More Consumer-Friendly Privacy Policies

Prior to stepping down from the FTC, David Vladeck “frequently railed against the current generation of consumer-facing privacy policies” as it becomes clear that consumers just don’t read or understand them. And there is data to back him up, notes GMAC Chief Privacy Official Allen Brandt. This Privacy Perspectives post looks into several examples of creative ways companies are conveying their privacy policies to consumers, including how GMAC recently converted its entire consumer-facing privacy policy into a series of one-minute videos. [Full Story]


EU – France Gets Criticism for New Surveillance Law

France passed a law expanding government surveillance activities and the country is getting heavily criticized by privacy advocates for the move. The new law “essentially means that the police, intelligence and anti-terrorist agencies can now spy on Internet users in real-time, across computers, tablets and smartphones.” Previously, these entities needed approval from a National Commission for the Control of Security Intercepts judge before conducting these activities. One privacy expert voiced his disappointment with the CNIL, the French DPA, and noted that the new law “shows (that) the EU governments still have few qualms about mass surveillance of their own populations, even as they protest about NSA.” [SC Magazine]


WW – Microsoft Beefing Up Encryption Following Gov’t Spying Revelations

A Microsoft blog announces the company is “taking steps to ensure governments use legal process rather than technological brute force to access customer data.” The company says allegations that some governments circumvent online security measures to collect private customer data put such governments alongside such threats as sophisticated malware and cyber attacks. As such, Microsoft plans to encrypt all services, reinforce legal protections for customers and expand the transparency of its software code. Microsoft General Counsel Bradford Smith said revelations the government might be hacking into corporate data centers “was a bit like an earthquake, sending shock waves across the tech sector.” [PC World]

EU Developments

EU – One-Stop-Shop Principle Delays Progress on Regulation

The proposed EU Data Protection Regulation suffered a setback when data protection authorities tried to reach agreement, indicating the update to current law will likely not occur until after European Parliament elections next year. An EU diplomat said the delay is due to concerns by Germany’s data protection authority that the one-stop-shop principle would enact weaker rules than the country currently has in place. “Harmonization, yes, but not at any price,” said a spokesman for Germany’s secretary of state in the federal ministry of the interior. Meanwhile, the head of the legal service for the European Council said the one-stop-shop rule would undermine human rights. [EU Observer] see also: [The EU and APEC: A Roadmap for Global Interoperability?]

EU – DPAs Say They Aren’t Ready for Regulation

While European data protection authorities say they aren’t ready for the proposed data protection regulation, multinationals such as Facebook and Google are tasked with untangling 28 different legal frameworks in the EU in order to address the issue. Irish Data Protection Commissioner Billy Hawkes says , under the proposed regulation, he would no longer be able to take complaints from Irish citizens about companies that are headquartered in other member states. Instead, Hawkes would be responsible for regulating the multinationals headquartered in Ireland, and therefore would be required to respond to the complaint of any EU citizen. Meanwhile, European Commission Vice President Viviane Reding has expressed frustration with the head of the EU Council’s legal service after he issued an opinion on the proposed rules. [PCWorld] See also: [Draft EU Data Protection Package: A History and Look to the Finish Line]

EU – Member States Need More Time with Regulation Proposal

The EU’s data protection overhaul faces months of delays after some member states have demanded more time to sign off on a law that would fine companies as much as 100 million euros for privacy violations. An anonymous EU official said the measures are unlikely to pass before European Parliament elections in May, noting the measure is “too complicated and sensitive” for member states to reach a deal this week. “If there’s not the necessary political will, the whole regulation is at risk,” said MEP Jan Philipp Albrecht. [Bloomberg]

EU – EU, U.S. Officials Indicate Potential Privacy Agreement at DPC

The keynote stage at the IAPP Data Protection Congress in Brussels became a diplomatic back-and -forth this morning as Constantijn van Oranje-Nassau, Head of Cabinet of Vice-President of the European Commission, Commissioner for the Digital Agenda Neelie Kroes, first delivered the European Commission’s view of data protection and then was followed by an address from U.S. Federal Trade Commissioner Julie Brill. Both emphasized the need to encourage innovation while protecting privacy and addressed whistleblower Edward Snowden’s revelations about the activities of U.S. National Security Agency and other intelligence agencies. Reading between the lines, writes Publications Director Sam Pfeifle in this report from the event for The Privacy Advisor, there were reasons to be encouraged that Safe Harbor and the free flow of data between continents will continue. [Privacy Advisor]

EU – Top Six Inadequacies Found During Privacy Audits

Would you be able to guess the top six failure points found in the last 20 privacy audits conducted by London’s Osborne Clarke? At the IAPP Europe Data Protection Congress, that is exactly what attendees were tasked with doing in a Family Feud/Family Fortunes-style challenge of determining just what the “Survey says.” In this exclusive for The Privacy Advisor, Publications Director Sam Pfeifle details the top failure points highlighted during the “Audit Programmes” session. Some of the results were not what attendees were expecting—with such factors as “excessive access to data” and “inadequate data breach plans” not making the top-six list. [Privacy Advisor] See also: [Ten Steps to a Quality Privacy Program, Part Five: Building an Audit Plan]

EU – Pan-Euro Law Likely Means ICO Restructuring

Pending new pan-Europe legislation will decrease revenues for the UK Information Commissioner’s Office (ICO), meaning that it will likely change the way it handles casework and enquiries. An ICO spokesperson says this will allow the office to “identify and address wider compliance issues, and only where appropriate, to address individual concerns.” A consultation document titled “Looking Ahead, Staying Ahead: Towards a 2020 Vision for Information Rights” outlines the planned changes to the regime, including coordinating more with other organisations and regulators, the report states. The consultation is open for comment through 7 February. [SC Magazine]

EU – Dutch DPA Says Google Policy Violates Law

Dutch Data Protection Commissioner Jacob Kohnstamm has found Google’s privacy policy “violates data protection law by spinning an ‘invisible web’ with users’ personal data without their consent.” Kohnstamm said the policy, which combines Internet users’ data from various Google services, is “forbidden by law.” He added that he will decide on possible penalties after a hearing with the company. Google says its privacy policy “respects European law” and allows it to create “simpler, more effective services.” Meanwhile, Germany’s SAP has rejected politicians’ calls for European IT firms to band together following U.S. NSA spying revelations, saying the plan would be “doomed to fail from the outset.” [Bloomberg]

EU – New Dutch Fining Powers Expected in 2015

Dutch Data Protection Authority Chairman Jacob Kohnstamm told the audience of the National Data Protection and Privacy Conference in Rotterdam on December 4 that his office will get the power to fine organizations in both the public- and the private-sector for violations of the Dutch Personal Data Protection Act. Jeroen Terstegge examines what to expect as the Council of State advises on the new fining powers likely to come into force only on January 1, 2015. [The Privacy Advisor]

EU—Royal Decree Transposes Directive into Belgian Law

The Belgian government recently issued a royal decree that lays down broad data retention obligations for telecom, Internet access and webmail providers. The Royal Decree transposes the EU Data Retention Directive into Belgian law. [Details]

EU — New Danish Whistleblowing Legislation Takes Effect

As of 1 January 2014, new Danish legislation concerning whistleblowing will take effect. According to the new legislation, all Danish companies in the financial sector must have a whistleblower scheme that enables employees and board members anonymously to report any breach of the financial regulation.  [Details]

EU — Customer Care Outside the EU, New Rules Coming from the Italian DPA

Following the growth of the outsourcing of call center services outside the EU, the Italian Data Protection Authority, the Garante, provides its general rules to protect the privacy of Italian citizens. [Details]

EU—Datagate: Garante and DIS Enter Joint Agreement

The Garante and DIS have entered into a cooperation protocol. “This is an extraordinary agreement entered into by very key sensitive functions of the Italian State and a great signal of transparency for the world in reply to all worrying news on Datagate we daily read on newspapers or on the Internet,” writes Panetta & Associati Managing Partner Rocco Panetta. [Details]

UK—Tribunal Overturns ICO’s £300,000 Spam Texts Fine

The General Regulatory Chamber, which allows rights of appeal against decisions of the UK Information Commissioner’s Office (ICO), has overturned an earlier £300,000 fine for the sending of unwanted text messages.  [Details]

UK—Ministry of Justice Fined £140,000 for E-mailing Prisoner Details to Inmates’ Families

The Information Commissioner’s Office (ICO) has served the Ministry of Justice (MoJ) with a £140,000 monetary penalty after the details of all prisoners serving at HMP Cardiff were e-mailed to three of the inmates’ families. [Details]

UK—ICO to Update Privacy Policy Guidance

The Information Commissioner’s Office (ICO) has announced that it will be updating its privacy policy guidance to reflect changes in privacy practices and technology. [Details]

UK—ICO Issues Code on Practice of Anonymisation

Anonymisation is of particular relevance at the moment, given the increased amount of information being made publicly available through Open Data initiatives and through individuals posting their own personal data online. Furthermore, the concept of anonymisation is fundamental for organizations that intend to take advantage of the possibilities offered by Big Data analytics without putting at risk the privacy of the data subjects. [Details]

Facts & Stats

WW – Data-Mining Software Biz Expects To Raise $100M

The New York Times reports on a data-mining software company that, on Thursday, was expected to file a notice that it has raised $100 million, putting a $9 billion valuation on the company. Palantir Technologies, which started as a CIA-funded data-mining company, just three months ago raised $196 million on a $6 billion valuation. Its initial customer base had been U.S. defense and intelligence contractors, but it now generates 60 percent of its revenue from commercial sources. The money raised is expected to be used in corporate expansion. Palantir currently employs 1,200 individuals in the U.S., Australia, Britain and Singapore. The Privacy Advisor recently reported on the growth of Big Data privacy jobs. [Source] [What Makes a Good Privacy Pro?] [Social Media Guru Deletes Facebook Account, Citing Need to “Take a Stand”]


US – The Impact of New Payment Card Industry Standards on Business

Version 3.0 of the Payment Card Industry Data Security Standard (PCI-DSS) has been released by the PCI Security Standards Council. The security requirements are intended to strengthen the security of cardholder data and encourage the adoption of uniform data security standards within the payment card industry. PCI-DSS applies to all entities that are involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers as well as entities that store, process and transmit cardholder data. [The Privacy Advisor]

US – Social Media Guidance for Financial Institutions

After taking into account comments received during the first few months of this year, the Federal Financial Institutions Examination Council (FFIEC) has issued its final guidance “to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with the use of social media.” FFIEC says that financial institutions should have risk management programs including policies and procedures to “identify, measure, monitor and control” the use of social media and risks related to it. The guidance also recommends institutions provide guidance and training for employees as well as oversight, audit and compliance functions. [Read Guidance]

CN – Measures Clarify Rules for Chinese Credit Reference Agencies

The People’s Bank of China put out Administrative Measures for Credit Reference Agencies to supplement the Administrative Regulations on the Credit Information Collection Sector. Hunton & Williams’ Privacy and Information Security Law Blog reports that the measures provide more detail to the regulations, which “established a series of rules for the collection, use, processing, disclosure and transfer of personal information by credit reference agencies.” The measures require agencies that handle personal information to gain pre-approval for licensing before they incorporate the data and state that all credit reference agencies may experience “enhanced surveillance” in certain circumstances, including if the agency is involved in a data breach incident or has failed to comply with reporting obligations, among others. The measures take effect on December 20.


US – GINA: Complying With this Camouflaged Privacy Law

The Genetic Information Non-Discrimination Act of 2008 (GINA) regulates employers’ collection, use, safeguarding and disclosure of “genetic information,” making it a privacy statute, writes Philip Gordon — and one with which it is becoming increasingly difficult to comply. Social media posts celebrating a family member’s cancer remission or a son’s trip to the ER for asthma contain “genetic information” in the eyes of GINA, Gordon writes, adding, “Recent (Equal Employment Opportunity Commission) enforcement actions and private class-action filings as well as the increasing prevalence of personal social media in the workplace highlight the need for organizations to address, or revisit, their compliance with GINA.” Find out more about the EEOC’s implementing regulations and how to mitigate risk in your organization.  [Privacy Tracker]

US – Court to Hear California DNA Law Arguments

A panel of 11 Ninth Circuit Court of Appeals judges will hear oral arguments today in a case questioning the constitutionality of California’s DNA collection law. The law requires police to collect samples from every person arrested, the report states, noting the Ninth Circuit required attorneys on both sides of the California case to revise their arguments after the U.S. Supreme Court ruled 5-4 to uphold Maryland’s narrower DNA collection law. While “California Attorney General Kamala Harris and the Obama administration are both urging the court to uphold California’s law as a constitutional and powerful law enforcement tool,” the ACLU argues it is not constitutional because not all those arrested are charged with crimes. [The Associated Press]


WW – EFF Criticises Google for Removing Android 4.4.2 ‘Vital Privacy Feature’

The Electronic Frontier Foundation (EFF) has criticized Google’s removal of a privacy feature in a new Android 4.4.2 update, Computerworld UK reports. App Ops was a feature that gave users granular control over app permissions—a feature that privacy groups have long advocated for, the report states. The EFF’s Peter Eckersley said the app’s removal is “alarming news.” He also said he was told by Google that the feature was not yet supposed to be released as it could break some apps. Meanwhile, representatives of Google are expected to argue in the UK’s High Court that a case against the company for ignoring Safari users’ requests to not have cookies placed on their devices should be dropped. A Google spokesman said, “We’re asking the court to reexamine whether this case meets the standards required in the UK for a case such as this to go to trial.” [Full Story]

WW – Google to Cache All Gmail Images, to Some Confusion

Google announced it will now cache all e-mail images by default to improve user experience and security as well as load-speed. The move has apparently caused a little confusion as to whether it affects user privacy. Ars Technica initially reported that e-mail marketers will no longer be able to receive information directly from Gmail users. ClickZ lists the six data points collected by marketers from e-mail display images. Ron Amadeo of Ars Technica wrote, “While this means improved privacy from e-mail marketers, Google will now be digging deeper than ever into your e-mails and literally modifying the contents.” However, Wired reports the move will make it easier for senders to know if an e-mail has been opened. According to an updated Ars Technica report, senders who embed a code into the e-mail will know more about which ones are viewed. MailChimp has also blogged about the changes and what they mean for users. [Ars Technica]]

Health / Medical

US – OCR Not Fully Enforcing HIPAA; Revisions Called For

A recent report from the Department of Health and Human Services (HHS) Office of Inspector General concludes the Office for Civil Rights (OCR) did not meet all of its enforcement and oversight requirements under the Health Insurance Portability and Accountability Act (HIPAA). According to FierceHealthIT, the report criticizes the OCR for not completing privacy impact assessments, among others, for two of three systems that oversee the Security Rule. Meanwhile, the Health IT Policy Committee has recommended HHS revise certain delayed plans to revamp the HIPAA accounting of disclosures rule and roll out pilot tests prior to implementing a final rule. Additionally, the Bipartisan Policy Center has issued a report stating that HIPAA is “misunderstood, misapplied and over-applied” and is burdensome toward improved patient care. [HHS Report]

Horror Stories

US – Breaches Affect Health Providers, College System and Discussion Forum

Horizon Blue Cross Blue Shield is notifying nearly 840,000 subscribers that their personal information may have been affected by a stolen laptop, reports. While the laptops were password-protected, the data was unencrypted. The information contained may have included names, addresses, dates of birth and Social Security numbers. Meanwhile, Kaiser Permanente has reported a privacy breach at its Anaheim Medical Center to 49,000 patients. A breach at a community college in Arizona may cost $14 million. And a Swedish daily newspaper says it has uncovered the identity of hundreds who left comments on Disqus websites. The company says its network has not been breached, however, and the publication breached privacy policies to gain the information. []

US – Breach May Hit 465,000 Cardholders; 2M Passwords Stolen

Financial services giant JP Morgan Chase is alerting at least 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by cybertheives. The cards were used by corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits, the report states. The company has located and fixed the vulnerability and has alerted law enforcement. CNN reports , in a separate incident, keylogging software that has been installed on countless computers around the world may have captured the login credentials of about two million users of 93,000 websites, including popular sites such as Google, Facebook, Twitter and Yahoo. [Reuters]

US – LinkedIn Seeks Class-Action Dismissal

LinkedIn is asking a federal judge “to toss out a class-action suit that claims the social networking company hacks into users’ accounts for promotional use .” In an argument filed in a California federal court, the company asserted the suit is “meritless,” contending LinkedIn members “consent to the site’s terms, which allow LinkedIn to send invitations to their contacts,” the report states. The company has also suggested the suit’s four plaintiffs should have been aware, as “any ‘reasonably prudent Internet user’ would have realized the permissions they were granting to the company after going through the various permission screens for the ‘Add Connections’ feature.” [SC Magazine]

Identity Issues

WW – AVG Unveils WiFi Do-Not-Track App for Mobile

With an influx of in-store mobile WiFi tracking, AVG Technologies has developed and rolled out a free smartphone app designed to block WiFi location tracking. The new “DNT” feature is an add-on to AVG’s PrivacyFix app for Android. When downloaded, the technology prevents the mobile device from transmitting its MAC address. AVG Vice President of Privacy Products Jim Brock said that until retailers adopt “meaningful standards,” including transparency, or provide consumers with an opt-out mechanism, “consumers are better off shutting out this kind of tracking.” [Forbes]

Internet / WWW

WW – Snowden Leaks “Gumming Up” Cloud Industry

Hightail CEO Brad Garlinghouse has said that the recent Edward Snowden revelations about government surveillance are “gumming up” the cloud computing industry. Hightail offers businesses cloud storage and document tracking services, but new difficulties have shaken the cloud business, he said. “The Snowden effect has extended the sales cycle for non-U.S. companies looking at doing business with U.S. companies,” Garlinghouse said, adding, “There are more questions about data security, encryption and (security) key management.” [CNET News]

Law Enforcement

US – Boston Police Halt License Scanning Program

The Boston Police Department “has indefinitely suspended” its use of license-plate readers to check for motor vehicle violations in light of privacy concerns. “The police inadvertently released to the Globe the license plate numbers of more than 68,000 vehicles that had tripped alarms on automated license-plate readers over a six-month period,” the report states, noting that release “triggered immediate doubts about whether the police could reliably protect the sensitive data.” Spokeswoman Cheryl Fiandaca said the department suspended the program while Commissioner William Evans reviews it “so he knows that it’s being used effectively and that it doesn’t invade anyone’s privacy.” [The Boston Globe]


WW – Twitter Partnership Aims to Bolster Location Services

Twitter has reached a multi-year licensing agreement with Pitney Bowes in order to tap into its location data for mobile services. Twitter will use Pitney Bowes’ Location Intelligence to bolster location-sharing and possibly improve ad targeting, tweets and map locations. The technology can help combine “location data for tweets with buying patterns, behaviors, preferences and influencers,” the report states, as well as cross-reference tweets with nearby retailers and users. [MediaPost News]

WW – Twitter Starts Ad Targeting; Automaker Tracks from Showroom

Social network Twitter is set to begin rolling out cookie-based targeted advertising to show users ads based on their browsing history, Reuters reports. Twitter now joins other large online businesses including Google, Facebook and Amazon in using cookies to help with targeted ads. Meanwhile, AdAge reports on one automaker’s attempt to better understand the shopping behavior of customers, not only in its showroom but in its competitors’ as well. By using the services of PlaceIQ , Mazda can target ads based on highly specific consumer data—including location. A Mazda representative said that PlaceIQ helps “us define behaviors based on real-world location … The value of this to us is we’re actually getting real-world (indicators).” [AdAge]


WW – Report: Developing Countries Need Privacy Laws to Bridge the Gap

UN trade and development body UNCTAD has released a report stating developing countries need to “adopt and enforce privacy and data protection laws” in order to bridge the “digital divide” that has arisen as a result of cloud computing. As of 2013, 101 countries had data privacy laws or bills, but only 40 developing economies could say the same. While the cloud provides many benefits, such economies must also be aware of the risks. Privacy International’s Carly Nyst said in developing countries, the absence of privacy laws and “weak accountability mechanisms” means cloud data is vulnerable, and no government or company should promote cloud services before ensuring privacy. [The Guardian]

Online Privacy

US – Internet’s Sad Legacy: No
More Secrets

In a feature for The New York Times, Nick Bilton writes that amidst reports of online tracking, “outfits like Snapchat have exploded onto the scene … holding out the promise that all those selfies, texts and e-mails will simply vanish … But the fact is, many services that claim to offer that rarest of digital commodities—privacy—don’t really deliver.” Princeton Prof. Edward Felten weighs in, cautioning, “Just because information is unavailable to you and you don’t see it doesn’t mean that it is not being captured, stored or even seen by someone else in transit.” The ACLU’s Ben Wizner suggests “change can happen” if “technologists that are disillusioned by the incessant tracking will use their skills to make surveillance more costly.” [Full Story]

WW – New Study Uses Bots to Track the Trackers

A new study led by researchers at Princeton University and Belgium’s KU Leuven has discovered patterns of discrimination based on traits such as affluence levels. Advertising and marketing firms often keep their tracking methods obscure, making it difficult for privacy advocates to demonstrate how the commercialization of online data can isolate consumers into their own “filter bubbles.” To circumvent that, the researchers have released bots that mimic real consumers—including fake profile traits such as age, gender, affluence level, location and interests—to come to a better understanding of how online businesses track, categorize and possibly discriminate against individuals. The research is being led by Princeton Prof. Arvind Narayanan—one of the early progenitors of Do Not Track. A spokesman for the U.S. Federal Trade Commission said, “We welcome research into privacy and technology issues, and we look forward to reviewing the research results.” [Forbes]

US – AT&T Offers Discount to Users Willing to Be Tracked

AT&T has recently rolled out plans to offer high-speed Internet, including a 30-percent discount for users willing to be tracked. AT&T’s Fletcher Cook said, “With AT&T Internet Preferences, you allow us to use your web browsing activity … to provide you with more relevant offers and advertising.” Cook also said the company will not sell personal information. Those choosing not to take the discount will not get targeted ads but will still have data about them tracked. “We keep your personal information only as long as needed for business, tax or legal purposes,” he said, adding, “For those that don’t (opt-in), information is safeguarded the same way.” [Forbes]

WW – Opinion: Forget Notice and Choice, Let’s Regulate Use

While there are few privacy principles more generally ingrained than that of notice and choice, Viktor Mayer-Schönberger suggests, “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” During his IAPP Europe Data Protection Congress keynote, Mayer-Schönberger called for “a new protection mechanism. A paradigm adjustment to ensure privacy in the age of Big Data” rather than giving up on privacy. “It’s not that the data is problematic,” he said, “but how it’s being used, especially in the context of complex data analysis.” [The Privacy Advisor]. [Privacy Art]

Other Jurisdictions

AU – Amendment to Change Australia’s Privacy Landscape

Following the Australian government’s passage of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the privacy landscape will change significantly. As of March, a new set of Australian Privacy Principles will come into force, the information commissioner will see enhanced powers and credit reporting laws will change. A recent Gartner survey indicated businesses are aware and are rating privacy as a higher priority than they historically have. [Australian Security Magazine]

NZ – John Edwards Is New Privacy Commissioner

Wellington-based lawyer John Edwards has been named New Zealand’s new privacy commissioner, succeeding Marie Shroff, who served as the nation’s data protection authority for the past 10 years. As barrister and solicitor, Edwards has been practicing public law and policy for more than 20 years. Justice Minister Judith Collins said, “Mr. Edwards’ public- and private-sector experience give him a highly informed perspective on data privacy and data matching issues,” adding, “He is an acknowledged privacy expert and has a broad, practical understanding of the Privacy Act.” Shroff said the role of privacy commissioner has become increasingly demanding, the report states. Edwards will take up the new position in February. [The New Zealand Herald]

AU – Australian Privacy Amendments Carry Big Penalties

David Grace of Cooper Grace Ward advises businesses dealing with personal information to prepare to comply with Australia’s new privacy amendments. Noncompliance, he writes, carries the risk of “penalties of up to $1.7 million for breaches by corporations and up to $340,000 for breaches by individuals.” Grace continues on to describe how the Privacy Amendment (Enhancing Privacy Protection) Act 2012 “essentially rewrites the existing privacy laws,” citing the introduction of the 13 Australian Privacy Principles for the handling of personal information among other facets of the amendments and offers tips for compliance. The amendments will come into effect on 12 March. [Mondaq]

AU – ALRC Examines Right to Be Forgotten; Privacy Tort

The Australian Law Reform Commission (ALRC) is examining a “right to be forgotten” and “right and to erasure,” noting “privacy groups are demanding the right to censor other people’s posts as well, if they are embarrassing or defamatory.” However, Prof. Barbara McDonald, head of the ALRC review, noted such rights would only apply with consent. “Where a person has given consent for something to go up on Facebook, they should be able to withdraw that consent,” she said, adding, “We can’t give people the right to erase history.” Meanwhile, the nation’s mainstream newspaper publishers are refusing to assist the ALRC’s efforts to design a statutory privacy tort. []

NZ – New Zealand Official Welcomes Draft FATCA Legislation

Inland Revenue (IR) has released draft legislation to facilitate compliance with U.S. Foreign Account Tax Compliant Act (FATCA) regulations, quoting PwC New Zealand FATCA Director Henry Risk, who said, “We welcome the release of the proposed legislation by IR and the New Zealand Government. It offers a solution to the Privacy Act issue.” The legislation will allow New Zealand financial institutions to meet FATCA reporting obligations without breaching the Privacy Act, the report states. [Voxy]

HK – Commissioner Rules Fitness Center Collected Excessive Data

California Fitness has been fined by Hong Kong Privacy Commissioner for Personal Data Allan Chiang for breaching privacy law. Following an investigation, Chiang’s office found the fitness chain put 220,000 customers’ personal details at risk by asking them to provide too much personal information and by storing copies of their identity cards. A data leak could have led to identity theft, Chiang said. “It is irresponsible for organizations to collect (detailed personal) data for identification and authentication purposes without seriously assessing the risk … of using alternative and less privacy-intrusive means.” [South China Morning Post]

Privacy (US)

US – FTC Unveils Privacy Focus for 2014

The U.S. Federal Trade Commission (FTC) has announced it will host a set of three seminars to explore consumer privacy issues and “examine the privacy implications of three new areas of technology that have garnered considerable attention.” The FTC will explore mobile device tracking, alternative scoring products and consumer-generated and -controlled health data. The first seminar, focusing on mobile device tracking, will be held in February. Meanwhile, a Government Health IT report asks, “Can the FTC regulate digital health privacy?” and looks into both sides of the data security debate between the FTC and Atlanta-based health diagnostics firm LabMD. []

US – White House Must Respond to Email Privacy Petition

A petition on the White House website calls for an update to the Electronic Communications Privacy Act (ECPA) to require police to obtain a warrant before accessing online communications. The petition reached 100,000 signatures by its December 12 deadline, meaning it requires an office response from the White House. The Justice Department said earlier this year that updating ECPA has “considerable merit” but recommended civil regulatory investigations be exempted from the warrant requirement because regulators don’t have access to the warrant power. [The Hill] [Petition]

US – Will GAO Report Spur Action from Congress?

Last year, U.S. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) asked the Government Accountability Office (GAO) to investigate privacy issues pertaining to companies that collect, aggregate and sell personal information about consumers. In late November, the GAO publicly released the resulting report, “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace .” The report recommends that Congress “consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information.” Rockefeller is expected shortly to issue his own report on the topic, and the FTC is also preparing a report expected in early 2014. [Privacy Tracker]

US – O’Connor Named CDT’s President and CEO

The Center for Democracy and Technology (CDT) has announced Nuala O’Connor will head the organization. Leslie Harris, CDT president since 2005, announced in July she would resign from the post. O’Connor comes to the CDT from Amazon, where she’s worked as associate general counsel on privacy and data protection. Prior to that, O’Connor worked as chief privacy officer at the U.S. Department of Commerce and later the Department of Homeland Security before settling in at General Electric as chief privacy leader and senior counsel. She’ll lean on her past government experience in her new role and looks forward to tackling such issues as surveillance and online decision-making. [Privacy Advisor]

US – Potential Settlement Over Alleged Data-Mining Without Notice

A filing this week indicates Comscore, which measures website traffic, will confer December 16 on settling a 2011 lawsuit alleging a privacy invasion. In the group lawsuit, plaintiffs said the company installed data-mining software on their computers in order to collect user names, passwords and credit card numbers, the report states. The suit alleges the company did not disclose such practices in its online policies. The company has denied the allegations. [Bloomberg]

US – Study: Schools Outsourcing Student-Data Collection, Neglecting Safety

Public schools are using web-based services to collect and analyze personal details about students but aren’t providing the necessary safeguards. That’s according to a new study released by the Center on Law and Information Policy at Fordham Law School. The study looked at the contracts school districts sign to outsource such analytics. Many of the contracts “failed to list the type of information collected” and others “did not prohibit vendors from selling personal details—like names, contact information or health status—or using that information for marketing purposes,” the report states. Meanwhile, EPIC has filed a complaint with the FTC aimed at protecting student data.  [The New York Times]

Opinion: The Poor Deserve Privacy, Too

Seeta Gangadharan and Aleta Sprague report on welfare programs and the amount of sensitive data collected on recipients. The massive amounts of data are stored in potentially unsecure databases for varying amounts of time and sometimes lack permissions controls for case workers, the report states. “Poor people in the welfare system don’t have privacy,” the authors write, “and they don’t factor into broader debates on protecting individuals’ liberty and right to be left alone.” One solution, the authors suggest, is to collect less data on recipients, thereby making the system more efficient and mitigating the potential risk of data loss. [Slate]

US – PCLOB Announces New Job Openings

The Privacy and Civil Liberties Oversight Board (PCLOB) has announced it is looking to hire attorney advisors “who will assist the board in carrying out its oversight and advice functions regarding federal counterterrorism matters.” According to the official job description, many of the cases and problems that will be handled by the incumbent will “involve little or no established precedent, may present delicate legal or factual situations and may involve important Constitutional principles.” In comments provided to the Daily Dashboard, PCLOB Chairman David Medine wrote, “Thanks to the funding provided by Congress to the Privacy and Civil Liberties Oversight Board in October, PCLOB is now able to expand its staff by hiring several lawyers. These new lawyers will increase the board’s ability to oversee existing federal counterterrorism programs and provide advice on the development of new programs, in order to ensure that the need for such efforts is balanced with the need to protect privacy and civil liberties.” [USAJobs]

US – Axciom Signs First Long-Term Ad Agency Deal

One of the leading brands in the data brokering business, Axciom, has signed what AdAge is reporting as a “multi-year deal with one of the biggest media agencies in the business: Starcom MediaVest Group.” The deal allows Starcom access to Axciom’s Audience Operating System, which offers audience segmentation and targeting across online and offline media, thanks to first- and third-party data. “We believe leveraging Acxiom client data with third-party media data across any channel is going to … shape the market in years to come,” said Laura Desmond, CEO at Starcom MediaVest Group, which is part of Publicis Groupe. The deal is significant, Axciom says, because it has formerly only worked with individual brands and companies. “This Starcom partnership is a huge deal for us because Acxiom has never had in its 40-year history a relationship with an agency,” said Acxiom CEO Scott Howe. [AdAge]


US – NIST to Host Privacy Panel December 19-20

The National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board is set to host a two-day, open meeting in Washington, DC, according to the Federal Register. Two main topics to be discussed are President Barack Obama’s Executive Order 13636 on critical infrastructure cybersecurity and potential incentives that should be adopted for improved cybersecurity practices. The report also features an agenda for the meetings, which includes updates on legislative proposals pertaining to information security and privacy, a discussion on cryptography and an update on the Privacy and Civil Liberties Oversight Board. []


WW – Tech Giants Urge Global Surveillance Reform

A group of top technology companies has presented a plan and published an open letter to U.S. President Barack Obama and members of Congress urging global government surveillance reform. Aol, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo together have rolled out the website to express their collected belief “that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.” This exclusive for The Privacy Advisor looks at the five principles presented by the group and rounds up the latest coverage of this issue as well as reports on increased local law enforcement requests of cellphone data. [Source]

US – Gov’t Gathering Five Billion Cellphone Locations Per Day

The National Security Agency’s (NSA) gathering of nearly five billion records per day on cellphone locations around the world. According to documents provided by former NSA contractor Edward Snowden, the documents’ details are stored in a vast database, and new tools to analyze the data have resulted in mass surveillance as the agency is capable of tracing cellphones globally and retracing movements. Privacy advocates have concerns about the agency’s ability to establish relationships between phone users based on such data. Chris Soghoian of the ACLU said the only way to hide your location is to “live in a cave.” Meanwhile, a Brown University panel recently discussed NSA spying and how sophisticated government agencies have become in analyzing such data. [The Washington Post]

US – Obama Panel Urging Some NSA Curbs

The New York Times reports on the conclusions of President Barack Obama’s surveillance review panel. According to the panel’s report, the NSA program collecting U.S. phone call data should continue but only under “broad new restraints” to increase privacy protections. The panel also allegedly concluded that the U.S. should codify and publicly announce the steps it’s taking to protect the privacy of foreign citizens whose phone and Internet data is collected by the NSA and create “an organization of legal advocates” to argue against government lawyers before the Foreign Intelligence Surveillance Court. Resistance to the conclusions from the NSA and others is expected, the report states. Meanwhile, Verizon Communications has taken a stance against a shareholder resolution that would require more transparency about what user data it shares with the government. AT&T recently resisted a similar shareholder resolution as well. [Full Story] SEE ALSO: [Opinion: Privacy Rules Must Not Be Ambiguous]

WW – U.S., UK Intel Infiltrates Online Gaming

New leaks from Edward Snowden revealing that the U.S. National Security Agency and the UK’s GCHQ have infiltrated large online gaming communities to gather intelligence on possible terrorist activity. According to the documents, the agencies possess massive data-collection capabilities within the Xbox Live console network—a gaming community with approximately 48 million users. Documents also reveal that if done correctly, spying within the networks could produce intelligence on users’ social networking, target identifiers such as profile photos, geolocation, biometrics and other communications. Makers of the game World of Warcraft said they “are unaware of any surveillance taking place … If it was, it would have been done without our knowledge or permission.” [The Guardian]

US – NSA Uses Ad-Tracking Tech to Locate Targets

Leaked U.S. National Security Agency (NSA) slides reveal the agency is “piggybacking” on tools used by Internet advertisers to locate potential targets for government hacking and surveillance. According to documents leaked by Edward Snowden, the NSA and the UK’s GCHQ use cookies to identify individuals. Specifically, they have used Google’s PREF cookies, which generally do not contain personal information but do include users’ e-mail addresses and numeric codes to identify their browsers, the report states. Additionally, the documents reveal that the NSA is using commercially collected data to help it locate mobile devices around the world. UC Berkeley Law Prof. Chris Hoofnagle said, “On a macro level, ‘we need to track everyone everywhere for advertising’ translates into ‘the government being able to track everyone everywhere’ … It’s hard to avoid.” [The Washington Post]

Telecom / TV

US – Groups Want Anonymized Phone Records Protected

In a petition filed with the Federal Communications Commission (FCC), privacy advocates have asked that even “anonymized” phone records be protected under the Communications Act. Section 222 of the act requires phone carriers to get customer consent before sharing data. The petitioners want the FCC “to issue a declaratory ruling that non-aggregate call records, purged of personal identifiers but with customers’ individual characteristics intact, are protected as ‘individually identifiable CPNI (customer proprietary network information)’ and phone carriers … must not sell the records without customers’ consent,” the report states. The petitioners allege AT&T violated the act by selling phone records to the Central Intelligence Agency. [PCWorld]

US Legislation

US – AZ State Sen. Wants To Ban NSA from the State

Sen. Kelli Ward (R-Lake Havasu City) says next month she will introduce legislation to prohibit state and local law enforcement from providing support to the National Security Agency (NSA) and state-owned utilities providers from providing services to NSA facilities. Ward aims to prevent warrantless surveillance of Arizona residents. Michael Maharrey, of the Tenth Amendment Center, the group that wrote the template for the bill, says Arizona is the first state to announce it will officially consider it. “That the federal government cannot force states to help implement or enforce any federal act or program is well-established in the law. It is known as the anti-commandeering doctrine,” Maharrey said. [Computerworld]

US – Candidate Wants Surveillance Protection in MT State Constitution

U.S. Senate candidate John Bohlinger (D-MT) has filed paperwork with the Montana Secretary of State that would expand the state constitution’s privacy protections to include digital data, reports KRTV News. Bohlinger is looking to get the language on November’s voter ballot, but it must first go through the legislative counsel, the Montana Attorney General’s Office and gain more than 40,000 signatures.

US – NY Sen. Proposes Changes in State’s Education Privacy Regime

New York State Sen. and State Senate Education Committee Chairman John Flanagan (R-East Northport) issued a report recommending stronger privacy protections for student data, among other initiatives. The report addresses concerns voiced during five Education Committee hearings, including third-party access to the personally identifying information of students, teachers and principals in the state’s Education Data Portal. One piece of legislation the report points to is a privacy bill “which would strengthen protections of personal information stored on the state-wide data portal, establish significant civil and criminal penalties for unauthorized disclosure of personal information and create independent oversight within SED on matters related to privacy,” Long Island Exchange reports.

US – Journalists, School Argue Over Whether Surveillance Video Is Protected Under FERPA

The Utah chapter of the Society of Professional Journalists (SPJ) has filed a brief stating that the Canyons School District has wrongfully cited the Family Education Rights and Privacy Act (FERPA) in denying access to school surveillance video footage, reports Student Press Law Center. While the school states the footage is protected because it is maintained by the school and identifies students, the SPJ says the video is not an education record and is therefore exempt from FERPA. The lawyer for the SPJ wrote in the brief that the footage “is akin to a law enforcement record, which is expressly excluded from the definition of ‘education record’ under FERPA.”

US – Petition Acquires Enough Signatures to Require White House Response

The Hill reports on a petition on the White House website calling for an update to the Electronic Communications Privacy Act (ECPA) to require police to obtain a warrant before accessing online communications. The petition reached 100,000 signatures by its December 12 deadline, meaning it requires an office response from the White House. The Justice Department said earlier this year that updating ECPA has “considerable merit” but recommended civil regulatory investigations be exempted from the warrant requirement because regulators don’t have access to the warrant power. Full Story

US – Lawmakers See Amazon Announcement as More Reason for Drone Regulation

The recent announcement by Amazon’s founder Jeff Bezos that the company expects to make deliveries by drones in the near future has given Reps. Ted Poe (R-TX) and Zoe Lofgren (D-CA) and Sen. Ed Markey (D-MA) a new hook to push bills that would regulate drone use with respect to privacy. “The issue of concern, Mr. Speaker, is surveillance, not the delivery of packages. That includes surveillance of someone’s backyard, snooping around with a drone, checking out a person’s patio to see if that individual needs new patio furniture from the company,” Poe said in front of Congress this week. [The Verge]

US – CA Court of Appeals Limits Claims, Damages Under CMIA

In keeping with previous data breach cases, the California Court of Appeal recently limited plaintiffs’ ability to state a claim and get statutory damages under the California Medical Information Act. The court ruled that “plaintiffs must plead and prove more than the mere allegation that a healthcare provider negligently maintained or lost possession of data but rather that such data was in fact improperly viewed or otherwise accessed.”The authors state the court relied heavily on “an analysis of the legislative intent behind Senate Bill No. 19.” [Law360.]

US – FTC Settles with Flashlight App Developer

The Federal Trade Commission (FTC) has settled with an Android flashlight app developer over charges that the app deceived consumers about how their geolocation information would be shared with advertising networks and other third parties. “Brightest Flashlight Free,” developed by Goldenshores Technologies, allegedly failed to disclose within its privacy policy that it transmitted users’ precise locations and unique device identifiers to third parties. The settlement, the FTC’s first based on location data, prevents the company from misrepresenting how it collects and uses consumer data and requires it to provide a just-in-time disclosure informing consumers of how their data is used and obtain express consent. Meanwhile, a study has found most mobile apps put privacy at risk. Mobile privacy is one of three focuses for the FTC in 2014. []

US – Potential Settlement Over Alleged Data-Mining Without Notice

A recent filing indicates Comscore, which measures website traffic, will confer December 16 on settling a 2011 lawsuit alleging a privacy invasion, Bloomberg reports. In the group lawsuit, plaintiffs said the company installed data-mining software on their computers in order to collect user names, passwords and credit card numbers, the report states. The suit alleges the company did not disclose such practices in its online policies. The company has denied the allegations. [Full Story]

US – OCR Not Fully Enforcing HIPAA; Revisions Called For

A recent report from the Department of Health and Human Services (HHS) Office of Inspector General concludes the Office for Civil Rights (OCR) did not meet all of its enforcement and oversight requirements under the Health Insurance Portability and Accountability Act (HIPAA). According to FierceHealthIT, the report criticizes the OCR for not completing privacy impact assessments, among others, for two of three systems that oversee the Security Rule. Meanwhile, the Health IT Policy Committee has recommended HHS revise certain delayed plans to revamp the HIPAA accounting of disclosures rule and roll out pilot tests prior to implementing a final rule. Additionally, the Bipartisan Policy Center has issued a report stating that HIPAA is “misunderstood, misapplied and over-applied” and is burdensome toward improved patient care. [Full Story]

US – State AGs: The Most Important Regulators in the U.S.?

The last year was an eventful one in the area of data and online privacy, with more laws, more enforcement actions and generally increased attorney general scrutiny. Given that we are not likely to see federal preemption of state authority in this area anytime soon—and that the Federal Trade Commission (FTC) is encouraging state action on data privacy—it remains critical that privacy professionals expand their focus beyond the FTC and data protection authorities to consider AGs, who are rapidly becoming the most important data privacy regulators around, write Divonne Smoyer  and Aaron Lancaster. In this exclusive for The Privacy Advisor, Smoyer and Lancaster look back at 2013 to make predictions for the year ahead. [Full Story]

US – Where the FTC is Headed in 2014

On Capitol Hill, all four FTC commissioners testified before a House Energy and Commerce subcommittee to defend their regulatory role and ask for more authority in the rapidly developing digital economy. According to Politico, the commissioners faced tough questions from the Republican-dominated subcommittee on its current budget, resources and authority, but FTC Chairwoman Edith Ramirez said her agency is limited in its current authority and that baseline federal privacy legislation is needed. The scope of the FTC’s authority, the privacy issues with which it’s grappled and the day-to-day work of its staff on consumer privacy issues were also the focus during Wednesday’s IAPP Practical Privacy Series in Washington, DC, reports The Privacy Advisor , including remarks by Rep. Marsha Blackburn (R-TN) and FTC Bureau of Consumer Protection Director Jessica Rich. The FTC also last week announced it will host a set of three seminars to explore consumer privacy issues The first seminar, focusing on mobile device tracking, will be held in February. [Full Story]

US – Legal Reform Needed in U.S., Not Just Europe

“I recall that in the early 1990s and early 2000s, it was often a struggle to get people outside of Europe to take EU data protection law seriously,” writes Wilson Sonsini Partner Christopher Kuner, adding, “The perceived lack of enforcement in the EU, and the dynamic legislative climate in the U.S., meant that more attention was given to U.S. developments.” But now, with the advent of the European Commission’s proposed General Data Protection Regulation, the situation is reversed and “U.S.-based lobbyists have descended in hordes on the EU institutions,” making Brussels “the center of the global privacy world.” In this Privacy Perspectives post, Kuner asks, “Why doesn’t the U.S. work as hard to improve its own privacy law as it does to lobby for changes in the EU?” He makes the case for why, when lobbying for privacy reforms, the U.S. should look in the mirror. [Full Story]

US – Google Wins Dismissal in Privacy Policy Case

Google has won its dismissal of a lawsuit challenging its privacy policy, which allows it to combine user data across its different products. U.S. Magistrate Judge Paul Grewal ruled the plaintiffs failed to prove they had suffered losses as a result of Google’s actions, but he also ordered the plaintiffs can refile their claims. “A plaintiff must do more than point to the dollars in a defendant’s pocket,” Grewal wrote in his ruling. In order for the suit to move forward, the plaintiffs have to demonstrate how Google’s use of their data “deprived the plaintiff of the information’s economic value.” [Bloomberg]

US – ALEC Publishes Model Bill for State Education CPOs

The American Legislative Exchange Council (ALEC) is promoting a model bill that would require state school boards to appoint a chief privacy officer and publish an inventory of student data collected by the state, among other requirements, reports Education Week. The bill was modeled after a recently passed Oklahoma law, and while other advocacy groups are praising ALEC’s efforts, they have expressed concerns about the lack of limits placed on noneducational use of the data. “Focusing on transparency and accountability is always a good start, but I’m not sure that (the ALEC model bill) is comprehensive in covering the education-technology landscape,” said Joni Lupovitz of Common Sense Media. Editor’s Note: The IAPP’s Privacy Tracker blog featured a post highlighting a similar model bill earlier this fall. [Full Story]

Workplace Privacy

EU – Revelations That Ikea Spied on Its Employees Stir Outrage in France

The New York Times reports on the range of internal and personal investigations generated by IKEA’s France-based stores. A regional court in France is now looking into whether company executives in France violated national law by ordering personal investigations of hundreds of individuals over a 10-year span. Investigations were conducted by the company for several reasons, including job applicant background checks, cases against employees accused of wrongdoing and ways to counter consumer complaints brought against the company in courts, and, according to the report, IKEA France approved more than 475,000 euros for the hiring of private investigators. A lawyer representing one plaintiff in the case said, “It is hard to conceive that this kind of thing happens in a democratic society like France … This is not Soviet Russia.” [The New York Times]




16-30 November 2013


WW – Advancements in Facial Recognition Raise Privacy Questions

Facial recognition technology is rapidly evolving, “using frame-by-frame video analysis to read subtle muscular changes that flash across our faces in milliseconds, signaling emotions like happiness, sadness and disgust.” While there may be benefits to such face-reading software—such as recognizing confusion on the face of an online student and offering tutoring options—one U.S. privacy attorney notes such technology raises concerns. “The unguarded expressions that flit across our faces aren’t always the ones we want other people to readily identify,” Ginger McCall said, adding, “Private companies are developing this technology now. But you can be sure government agencies, especially in security, are taking an interest, too.” [New York Times]

US – Franken Wants Users Protected Against Facial Recognition ASAP

Sen. Al Franken (D-MN) has asked the Commerce Department to facilitate a discussion between tech companies and privacy advocates on facial recognition technology. In a letter to the Commerce Department’s National Telecommunications and Information Administration this week, Franken said the tech community should develop best practices “as quickly as possible” to protect individuals when it comes to the technology. “The urgency of this matter is underlined by Facebook’s recent expansion of its facial recognition database—already likely the largest in private hands,” Franken wrote, referring to Facebook’s recent update to its data-use policy that states it will use public profile pictures to identify users in other photos. [The Hill]


CA – Stoddart Departing Commissioner’s Post

Privacy Commissioner Jennifer Stoddart’s departure from office and the work she did while there, including taking on big companies like Google and Facebook in defense of Canada’s privacy laws. She’s also been an “outspoken critic” of how the federal government handles and protects Canadians’ personal information and has called for an update to the Privacy Act and the Personal Information Protection and Electronic Documents Act. Stoddart recently gave an exit interview in which she discussed the problems Canada faces, including protecting privacy rights in the face of new technologies such as drones and facial recognition. Assistant Privacy Commissioner Chantal Bernier will step up as interim privacy commissioner until Stoddart is replaced. [Postmedia News]

CA – Commissioner Supports Call for CSC Audit

Correctional Investigator Howard Sapers has recommended Correctional Service Canada “conduct an internal audit of its practices and procedures to protect personal information,” and that call has prompted a statement of support from Privacy Commissioner Jennifer Stoddart. “We are very pleased that the correctional investigator has called for an internal audit,” Stoddart’s statement reads. “Year after year, our own office has identified serious privacy concerns with respect to Correctional Service Canada (CSC).” The statement notes the CSC “consistently accounts for the largest number of complaints received by our office”—with 284 received in 2012-2013. [Canada NewsWire]

CA – Journalists Concerned About Bill C-461

Journalists and broadcasters are raising concerns that Bill C-461 “could undermine the journalistic and programming integrity of Canada’s public broadcaster, the CBC/Radio-Canada.” In a statement, the journalists cite multiple concerns, including that it “opens the door to privacy requests that could also jeopardize the CBC’s journalistic integrity.” The report suggests, “C-461 changes the Privacy Act by removing the CBC’s right to exclude privacy information collected for reasons of journalism and instead makes disclosure of that information subject to a test of injury to the CBC’s ‘independence.’” [CNW]

CA – What Does Unconstitutional Ruling Mean for Alberta Privacy Law?

In the wake of news that the Supreme Court of Canada has deemed the Alberta Personal Information Protection Act (PIPA) unconstitutional, Shaun Brown analyzes what the decision means for the province. “It was inevitable that freedom of expression would eventually clash with privacy legislation in the courts,” writes Brown, adding that the ruling was “not surprising.” The broad “prohibition-first” approach of PIPA means “there are bound to be certain purposes that maybe should be exempted from the requirement to obtain consent but could not be conceived by legislatures when privacy laws were initially drafted,” Brown writes. [Privacy Tracker]

CA – Cyber-Bullying Bill Revives Bill C-30 Controversy

A tough new law on cyberbullying is putting a spotlight on the Conservative government’s sweeping approach to strengthening police investigative powers. The proposed law was introduced Wednesday, and is reviving the controversy around the previously withdrawn Bill C-30. “Regrettably, the federal government is using this pressing social issue as an opportunity to resurrect much of its former surveillance legislation, Bill C-30,” said Ontario Information and Privacy Commissioner Ann Cavoukian, suggesting the new bill gives police surveillance powers that pose a risk to privacy. Meanwhile, Minister of Justice and Attorney General Peter MacKay has denied the “new anti-cyberbullying bill will do an end-run around legitimate Internet privacy protections.” [The Globe and Mail]

CA – Supreme Court to Hear Gun Registry Appeal

The Supreme Court has decided it will give Quebec’s government a final chance at making a case for preserving gun registry data. In June, the Quebec Court of Appeal ruled the province “has no property right in the data,” noting “its existence in a registry infringes the right to privacy,” the report states. “For the moment, we’re satisfied with the situation, and we’re preparing for the eventual creation of a Quebec arms registry,” said Stéphane Bergeron, Quebec’s public safety minister. Federal Public Safety Minister Steven Blaney issued a statement, however, that the Conservative government “will vigorously defend our legislation, adopted by Parliament, in front of the Supreme Court.” [The Globe and Mail]

CA – Opinion: Saskatchewan Should Look to Neighbours

Attorney Greg Fingas writes about Saskatchewan’s lack of provincial privacy law, noting that while it has managed to skirt the issues some of its neighbours have come up against, its citizens may not be getting the level of privacy protection they want. Federal law offers some protection to Saskatchewan residents, and Fingas says “it’s possible that our current privacy protection is sufficient. But given an ideal opportunity to ask what protection we expect for ourselves, we should keep an eye on our neighbours’ choices rather than avoiding the question entirely.” [Leader Post]


US – Are Notice and Consent Still Relevant for Internet of Things?

Stakeholders met in Washington, DC, to explore and hash out the privacy and security implications of the Internet of Things (IoT). The rapidly emerging landscape of connected sensors and embedded technology has garnered the attention of the FTC of late, but the complexity of the IoT ecosystem was readily apparent during yesterday’s proceedings. Jedidiah Bracy covers the event and looks at calls for a new privacy paradigm around the Fair Information Practice Principles and the need for even more robust privacy design initiatives. [The Privacy Advisor]

WW – User Privacy Perceptions Could Cause Harm

A new study suggests that, though a majority of users believe they have responsibility to protect their privacy, most do not take steps to actually protect it. The disconnection between users’ attitude toward privacy accountability suggests that consumers’ perception is more ideological than practical, said Stephen Cobb, a senior security researcher at ESET, the organization that commissioned the Harris Interactive survey of more than 2,000 U.S. adults. “What I think people lack are the resources and education to follow all the way through with (protecting information),” he said, adding, “The average American adult isn’t going to walk through the door well-prepared to protect that company’s information … They need help. They need education.” [Network World]


US – Judge Who Ruled Against Google To Hear Yahoo Case

Following her ruling against Google’s request to dismiss a privacy lawsuit accusing it of using personal information gleamed from e-mails transmitted via Gmail, U.S. District Judge Lucy Koh is being sought after to hear similar lawsuits against Yahoo. The lawyer who filed a November 15 complaint against Yahoo says Koh’s recent ruling against Google’s request to dismiss the suit against it was “enormously important” for plaintiffs in group privacy suits. Yahoo has requested that three complaints filed against it be combined in an effort to minimize the labor or costs associated should the case be heard by three different judges. Separately, Yahoo has announced that following revelations that the NSA had accessed its data centers, it will add encryption to all of its products by spring 2014. [Bloomberg]

Electronic Records

WW – Hartzog and Selinger: Maybe We Need More Specific Terms

Woodrow Hartzog and Evan Selinger discuss some of the myths around Big Data and the importance of using the term correctly. Skepticism is important in order to help society set realistic expectations, the authors write, but like the concept of “privacy,” the term “Big Data” itself is problematic because “it has no set meaning.” At some point it will be important to assign specific terms, rather than “heuristic terms”—or “mental shortcuts” developed to make sense of complex ideas quickly—in order to accurately discuss such concepts as Big Data, the authors write. [Forbes]


US – Lavabit Files Reply Brief in Appeal

Lavabit’s legal team has filed its reply brief in its case appealing the US government’s authority to demand the company’s master encryption key. The outcome of the case will decide whether an Internet company can be compelled to surrender master encryption keys when entities are seeking information about a single user. According to Lavabit’s brief, “the government has no general entitlement to search through the information of an innocent business.” [WIRED]

WW – Google Beats SSL Upgrade Deadline

Google has fulfilled its commitment to retire 1,024-bit encryption keys ahead of the scheduled target of the end of this year. Google has now replaced all certificates for its online services with new, 2,048-bit SSL certificates. The company is also taking steps to encrypt traffic between its data centers. [CNET]

EU Developments

EU – Commission Gives U.S. 13 Ways to Save Safe Harbor

The European Commission has released its report on EU-U.S. data flows, including a critique of the widely-criticized Safe Harbor framework , which makes 13 recommendations to improve the data-transfer mechanism. The commission says U.S. authorities have until summer of 2014 to implement the recommendations, at which point it will revisit the review. U.S. Federal Trade Commissioner Julie Brill said she’s pleased the commission has indicated its support for maintaining Safe Harbor as a data transfer mechanism. “I think some of the recommendations—increasing transparency and making alternate dispute resolution accessible and affordable—would be helpful.” Dutch MEP Sophie in ‘t Veld said that while she’s pleased there’s progress, the report is long overdue. “Maybe we’re now finally entering the phase where we no longer tolerate that our own EU rules are being overruled by third countries’ laws,” she said. Covington & Burling’s Henriette Tielemans said the report indicates a “genuine willingness on the part of the commission” to save Safe Harbor. [The Privacy Advisor]

EU – Safe Harbor Report Could Be the Start of Real Privacy Interoperability

According to Field Fisher Waterhouse Partner Eduardo Ustaran, the European Commission’s report on Safe Harbor lived up to expectations of being “critical” of the agreement but stopped short of “delivering a fatal blow to the scheme.” Ustaran writes for  that false claims of compliance with Safe Harbor “appear to be a greater concern than the potential vulnerability of Safe Harbor as a conduit to allow U.S. intelligence authorities to access data originating from the EU,” adding, “In other words, the European Commission is not really seeking to turn Safe Harbor into a data bunker…” [Privacy Perspectives]

EU – Brussels to Warn U.S. of Safe Harbor Risk

Lawmakers in Brussels are set to officially warn Washington that Safe Harbor may be at risk unless U.S. tech businesses change the way they handle the data collected on EU citizens, Financial Times reports. The European Commission (EC) has been reviewing the Safe Harbor pact and is slated to announce its conclusions on Wednesday. According to the report, the EU is not expected to scrap the deal, but its wording suggests the EU will move in that direction if changes are not made by U.S. businesses. “The personal data of EU citizens sent to the U.S. under the ‘Safe Harbor’ may be accessed and further processed by U.S. authorities in a way incompatible with the ground on which the data was originally collected,” the draft version of the EC report states. “The commission has the authority … to suspend or revoke the Safe Harbor decision if the scheme no longer provides an adequate level of protection.” [CNBC]

EU – Cookie Monsters of Silicon Valley Come to Brussels

In the world of online tracking, the cookie is king—but there may be a regime change on the horizon. Cookies are under more regulatory scrutiny than ever, especially in Europe, but even as legislation seeks to make cookie use more privacy protective, the technology itself is on the way out. Instead, server-side tracking alternatives and embedded device identifiers, mainly in the hands of Internet giants like Google, Facebook, Microsoft and Apple, are poised to supplant cookies in the digital tracking market. Thus, it is important to analyze the effect of these changes in the techno-business landscape on the EU regulatory framework. IAPP Westin Research Fellow Kelsey Finch examines how this new technology is likely to be viewed and regulated in the European Union. [Full Story]

EU – Berlin Now Home to Privacy Activists, Leakers

Germany’s once-divided city of Berlin has become a haven for privacy activists and whistleblowers attempting to avoid prosecution from countries such as the U.S. and UK. Documentary filmmaker and Edward Snowden conduit Laura Poitras has made Berlin home, as has former Wikileaks spokesman Jacob Appelbaum. One privacy activist said, “It’s a rather inviting social climate right now … Why be completely paranoid, go mad, have your house surveilled? There’s a reason people are coming here.” [The Washington Post]

EU – Safe Harbor’s in Trouble—Unless You Ask the U.S.

The U.S. Department of Commerce says Safe Harbor is still viable, and the FTC says it has rigorously enforced compliance with the data-transfer mechanism. But privacy regulators and politicians from European countries—Germany in particular—seem hell-bent on putting an end to the agreement and are calling the U.S.’s bluff everywhere but on paper. So far. Angelique Carson talks with FTC Commissioner Julie Brill, the U.S. Department of Commerce, Covington & Burling’s Henriette Tielemans and Wilson Sonsini Goodrich & Rosati’s Christopher Kuner, both in Brussels, about the impact of new accusations that as many as 400 companies are violating Safe Harbor and what to expect in the European Commission’s December report on the pact’s viability. “I can’t overstress the hostility toward it here,” Kuner said. [The Privacy Advisor]

EU – Reding: U.S. Must Allow Europeans to Sue Agencies That Violate Privacy

EU Justice Commissioner Viviane Reding says the U.S. can win back EU trust by allowing EU citizens the right to sue U.S. agencies that violate their privacy. Reding said today’s meeting between EU and U.S. officials must make progress toward enforceable rights. Meanwhile, the U.S. Supreme Court has rejected a challenge of the National Security Agency’s telephone spying program, and two district courts will hear challenges to NSA snooping. In Luxembourg, Europe v. Facebook wants more specific answers on the federal data protection commissioner’s ruling that Microsoft and Skype did not break privacy law by transferring EU user data back to the U.S. [Bloomberg]

EU – EU Parliament could block data sharing with the US

After EU Justice Minister Viviane Reding was making positive noises about a deal with the U.S. on law enforcement access to data, MEP Jan Philip Albrecht said that there is a line in the sand the EU Parliament will not cross: “If a U.S. citizen has a problem with how his data has been treated in the EU, he can take it up with an EU court. We just want the same rights in the U.S. This should be possible. It would be very easy to fast-track change in the U.S.’s privacy act and simply add text to include EU citizens.” [Full Story]

EU – Opinion: Data Community Must Influence Law

“It is essential … that the information security community not only make the effort to be aware and prepare but also recognise and exert influence over” the eventual EU data protection legislation, writes Yves Le Roux of (ISC)2. Pointing to the lack of technical feasibility of the right to be forgotten, Le Roux writes that privacy pros and others need to speak up about such elements of the law that may not be practicable, noting that the IAPP Europe Data Protection Congress provides an opportunity to do just that. [Computerworld]

EU – Things Looking Up for U.S./EU Relations on Law-Enforcement Access?

U.S. Attorney General and Acting Secretary of the Department Homeland Security Rand Beers met yesterday with EU Justice Commissioner Vivane Reding, Lithuanian Justice Minister Juozas Bernatonis and other EU officials at the Justice Department in Washington. Prior to the meeting, Reding spoke of a new accord between the U.S. and EU that would “contribute to restoring trust in trans-Atlantic relations, which is of particular importance at this moment in time” (you can see Reding’s speech here). Later, in an interview with DW, Reding said the EU is “negotiating a framework agreement to protect the data of European and American citizens when there is judicial and police cooperation between the two continents.” Officials on both sides agreed to seek a new accord by mid-2014. [Bloomberg]

EU – German Court: Google Rules Violate User Rights

A German court has ruled that 25 provisions in Google’s data protection rules violate user rights and German law. The Federation of German Consumer Organizations (VZBV) brought the case, arguing the clauses are too vaguely formulated. Google says it will appeal the ruling, stating it believes its “terms of service and privacy policy comply with all applicable laws.” VZBV has been targeting large corporations’ data practices, including Apple and Samsung, since 2012, winning judgments against their policies in Berlin courts. [Bloomberg]


EU – French Court Orders Search Engines and ISPs to Block Pirate Sites

A French court has ordered major search engines to block 16 video-streaming websites. Google, Microsoft, and Yahoo must prevent the sites from appearing in their search results. The order also applies to several Internet service providers (ISPs) used by residents of France, which will have to prevent users from accessing those sites. Some of the plaintiffs in the case told the judge that merely ordering a block on the sites would prove ineffective because the people behind the pirate sites would just re-create the sites with new names. Wiley Rein’s David Weslow says if the decision is upheld on appeal, “there may be a precedent in France for forcing search engines or other types of Internet service providers to take affirmation actions to disable certain online content even where a ‘take down’ request has not been filed with that Internet service provider.” A recent poll about whether government should play an increasing role in protecting online privacy indicated 52% voted yes and 48% voted no, indicating “there is not overwhelming agreement” on what should be done,, adding tech companies and governments should be prepared to weigh in. Meanwhile, Google says it will voluntarily remove a Google Maps image related to a young boy’s murder. [TechRepublic]  [BBC] [WIRED]


WW – Coin Addresses Some Critics’ Concerns

When Coin released information about its all-in-one digital credit card last week, some critics voiced concern about the technology’s security and reliability issues. For example, some wondered how securely the credit card information is stored and whether the device could be used as a card skimmer. Others expressed concern that the device would not work if the associated phone is out of power, and wondered whether or not merchants would be willing to accept Coin for payments. Coin has announced some changes, including a method for reactivating the device even if users’ phones are out of battery. Coin will also lock onto the payment method users have chosen to avoid accidentally switching to other payment methods stored in the device. The company says that the stored card information is encrypted. [CNN]


EU – Dutch DPA Says Google Policy Violates Law

Dutch Data Protection Commissioner Jacob Kohnstamm has found Google’s privacy policy “violates data protection law by spinning an ‘invisible web’ with users’ personal data without their consent,” Bloomberg reports. Kohnstamm said the policy, which combines Internet users’ data from various Google services, is “forbidden by law.” He added that he will decide on possible penalties after a hearing with the company. Google says its privacy policy “respects European law” and allows it to create “simpler, more effective services.” Meanwhile, Germany’s SAP has rejected politicians’ calls for European IT firms to band together following U.S. NSA spying revelations, saying the plan would be “doomed to fail from the outset.” [Bloomberg]

US – Google to Pay $17M to Settle Cookies Case

Google has agreed to pay $17 million in a settlement with 37 states and the District of Columbia “over its unauthorized placement of cookies on devices running Apple’s Safari browser,” following Google’s agreement last year to pay a $22.5 million civil penalty to the FTC. In their case, the state attorneys general alleged “Google’s circumvention of Safari’s default privacy settings violated state consumer protection and related computer privacy laws,” the report states. A Google spokeswoman said, “We work hard to get privacy right at Google and have taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.” [IDG News Service]

EU – Court: Google Rules Violate User Rights

A German court has ruled that 25 provisions in Google’s data protection rules violate user rights and German law. The Federation of German Consumer Organizations (VZBV) brought the case, arguing the clauses are too vaguely formulated. Google says it will appeal the ruling, stating it believes its “terms of service and privacy policy comply with all applicable laws.” VZBV has been targeting large corporations’ data practices, including Apple and Samsung, since 2012, winning judgments against their policies in Berlin courts. [Bloomberg]

EU – Complaints Over Google Terms of Service Filed in 14 Countries

Privacy advocate Simon Davies has filed complaints with 14 European data protection authorities stating that Google’s new terms of service violate European data protection law. The main issue involves changes to the “shared endorsements” feature, which allows Google+ users’ names and photos to be used in advertising for products they follow on the service. “The general position is that the ground rules shouldn’t be changed halfway through the match. Google acquired the data under one condition, and I’m asserting that it cannot change the purpose of that data after the fact,” Davies said. Davies’ other challenges target the feature’s opt-out mechanism and changes in the way users are required to interact with YouTube. [PCWorld]

Health / Medical

US – Debunking Three Cyber Insurance Myths

“In the past, cyber insurance was a polarizing issue in my discussions with privacy and risk professionals,” writes Experian Data Breach Resolution Vice President Michael Bruemmer, “Some professionals were adamant about the benefits of cyber insurance, while others worried that the policies currently on the market didn’t meet its needs or were too costly.” Bruemmer debunks three of the most common myths associated with cyber insurance and examines why small- and medium-sized businesses are not off the radar of hackers and other cyber thieves. [Privacy Perspectives]

Horror Stories

WW – Breaches Hit Health Exchanges, Anthem and More

Los Angeles Times reports that Anthem Blue Cross accidentally posted online the Social Security numbers (SSNs) and tax identification numbers of approximately 24,500 doctors. The data was mistakenly published within an online directory last month. Meanwhile, GovInfoSecurity reports on three breaches involving health insurance exchanges, including in Vermont and Oregon. In a separate report, the Office of the National Coordinator for Health IT Chief Privacy Officer Joy Pritts discusses two essential steps organizations should take to help mitigate data breaches. More than 1,000 patients at California’s Redwood Memorial Hospital have been notified their personal information may have been compromised after an unencrypted USB drive was misplaced. Crown Castle has revealed that sensitive payroll data of its U.S. employees has been accessed by hackers. After a data breach affecting several city workers, the city of Milwaukee has said it will avoid using SSNs . And representatives from Adobe have said e-mails notifying those affected by a massive breach are taking longer than it anticipated. [L.A. Times]

WW – Breaches Affect School, Dating Site, Health Plan

A New York school district is alerting thousands of students and their parents of a security breach that saw some of their data posted online. A list of 15,000 names and school ID numbers were posted. Meanwhile, Anthem Blue Cross has begun notifying customers that their names, business addresses and tax ID numbers were posted to the company’s website this month. And online dating service company Cupid Media suffered a breach in January this year exposing names, e-mail addresses and passwords in plaintext. In an opinion piece for Dark Reading, Robert Lemos warns that cloud data is increasingly vulnerable to hacks. [Newsday]

US – Cupid Media Data Breach Affects Millions of Accounts

A data security breach at online dating network Cupid Media has exposed personal information from 42 million accounts. The compromised data include email addresses and unencrypted passwords. The data theft was discovered because it was stored on the same server where attackers had stored data stolen from Adobe, PR Newswire, and several other organizations. The Cupid Media breach apparently occurred in January 2013, and users were notified. The Australia-based company operates more than 30 specialized dating websites. [ComputerWorld]

Identity Issues

US – Screen Actors Guild Sides Against Amazon in Privacy Dispute

The Screen Actors Guild (SAG) has announced it is supporting an actress’s privacy suit against The SAG said the company “committed an unconscionable breach of trust” when it accessed actress Junie Hoang’s credit card information to determine and publicize her real birthdate. “Individual IMDb profiles contain information that most people would consider private and that can be used for improper purposes,” the SAG wrote in an amicus brief to the Ninth Circuit Court of Appeals. [MediaPost]

Internet / WWW

WW – UN Passes Internet Privacy Resolution

The United Nations General Assembly’s Human Rights Committee has unanimously approved an unlawful surveillance resolution originally proposed by Brazil and Germany. Though symbolic, the resolution looks to pass along privacy rights to people around the world. The U.S., along with the other “Five Eyes” nations, had tried to dilute some of the resolution’s language, the report states. Brazil’s UN ambassador said the resolution “established for the first time that human rights should prevail irrespective of the medium and therefore need to be protected online and offline.” Germany’s ambassador queried, “Is the human right to privacy still protected in our digital world? And should everything that is technologically feasible, be allowed?” [Associated Press]

EU – EDPS: Telecoms Market Reform Plan Would Put Privacy at Risk

New net neutrality laws would mean Internet users’ privacy rights would be at risk, according to the European Data Protection Supervisor (EDPS). The European Commission’s telecoms market reform plans would allow Internet service providers to engage in “wide-scale, preventive monitoring of communications content,” an affront to data privacy and protection as well as consumer trust in electronic communication services, the EDPS said. []

WW – Facebook Forges Ahead with Planned Changes

While Facebook has moved forward with changes to its privacy policies alerting users it may use their profile pictures, location and other personal information in advertisements, the company has deleted a controversial line in the policy on teens’ use of the site. The line stated Facebook assumed teens had obtained permission from their parents, drawing the ire of critics including Sen. Ed Markey (D-MA), who said Facebook should not profit from the personal information of children and teens. Facebook Chief Privacy Officer Erin Egan said, however, that the company wouldn’t gain additional rights as a result of the statement; rather, it was meant to get kids and their parents discussing the terms, The Washington Post reports. [Washington Post]

Law Enforcement

EU – Things Looking Up for U.S./EU Relations on Law-Enforcement Access?

U.S. Attorney General and Acting Secretary of the Department Homeland Security Rand Beers met yesterday with EU Justice Commissioner Vivane Reding, Lithuanian Justice Minister Juozas Bernatonis and other EU officials at the Justice Deparetment in Washington. Prior to the meeting, reports Bloomberg, Reding spoke of a new accord between the U.S. and EU that would “contribute to restoring trust in trans-Atlantic relations, which is of particular importance at this moment in time” (you can see Reding’s speech here). Later, in an interview with DW, Reding said the EU is “negotiating a framework agreement to protect the data of European and American citizens when there is judicial and police cooperation between the two continents.” Officials on both sides agreed to seek a new accord by mid-2014. [Bloomberg]


AU – Pilgrim Discusses New Powers

Privacy Commissioner Timothy Pilgrim said his office “won’t take a ‘softly-softly’ approach with new regulatory powers that will become available to it in March.” Pilgrim said “The two sets of principles we have are fundamentally very similar to the ones that are coming into place. The private sector has been working with them for over 12 years; the government has been working with them for over 25 years; there’s a common theme, so there shouldn’t be a big challenge in complying with them.” He noted, however, that for “difficult organisations and some intransigent organizations,” the office would take a stricter stance. Meanwhile, the Australian Law Reform Commission will be recommending updates to privacy laws to address serious invasions of privacy. [IT News ull]

HK – Critics Say Hong Kong Data Protection Law Needs Update

Critics of Hong Kong’s data protection law say the law is “miles away” from comparable laws internationally and needs an update in order for the city to tackle privacy challenges and embrace opportunities presented by public data use,. Reviews of the law have come following the privacy commissioner’s forced shutdown of mobile app “Do No Evil” for privacy violations. “There is a need to conduct a public consultation again to see whether people think the law now needs to be amended,” said lawmaker Charles Mok, adding he hopes the government will engage the public. [South China Morning Post]

SA – South Africa: Zuma Signs Privacy Bill Into Law

South African President Jacob Zuma’s administration announced on Wednesday that he has signed the Protection of Personal Information Bill into law. “The act will give effect to the right to privacy, by introducing measures
to ensure that the personal information of an individual is safeguarded when it is processed by responsible parties,” said presidential spokesman Mac Maharaj. The bill contains eight principles that express the right to privacy provided in the constitution and establishes the Office of the Information Regulator, which will take over responsibility for the Promotion of Access to Information Act. [Global Post]

IN – India’s Privacy Bill to See Further Delay

Differences between the ministries of Home and Law and the Department of Personnel and Training mean the Right to Privacy Bill has little chance of being tabled in this winter’s session of Parliament. The bill was originally proposed in 2011 and aims to “safeguard security interests of all affected individuals whose personal data has or is likely to have been compromised by such a breach.” Causing the divide is a provision stating the proposed law will supersede all provisions of the 58 existing laws that touch on privacy, Economic Times reports. An official at the Department of Personnel and Training told ET that the bill has been “stuck at the law ministry for several months now.” [Indian Express]

Online Privacy

WW – Viral Video Exposes Privacy Disconnect

A video went viral last week in which the host, Jack Vale, decided he wanted to know “how easy it would be to get personal information from complete strangers.” Vale located nearby social media users by using his own location and identifying nearby users who publicly posted basic personal information. It turned out that identifying and gleaning additional personal data was relatively simple. Privacy Perspectives explores the experiment, looking at “what seems to be a common disconnect between our online and offline lives” and possible lessons for online businesses. [Full Story]

WW – Browser Extension Allows Users to Use “Fake” Identifiers

U.S.-based Abine is adding features to its anti-tracking browser extension to allow users to hide their personal details during web transactions. The features are being added to “DoNotTrackMe,” an extension for browsers such as Firefox, Internet Explorer, Chrome and Safari. Users can give a one-time credit card number and a disposable e-mail address and phone number, the report states, rather than using their real details. [PC World]

Other Jurisdictions

AU – Final Set of APPs Released for Comment 

The Office of the Australian Information Commissioner (OAIC) has released the final set of Australian Privacy Principles (APPs). APP 12 and 13 cover access to and correction of personal information and require organisations to give consumers access to the information organisations hold on them and to take reasonable steps to correct information as well as “contact other organisations that hold the same information about a person so that they can update these details,” the report states. The consultation period is open until 16 December. [ComputerWorld]

MY – Long-Delayed Malaysian Data Protection Law Now In Effect

Passed originally in 2010, Malaysia’s Data Protection Law is now actually in effect, after years of postponements. The Malaysian Minister of Communications and Multimedia announced on November 14 that the law would go into effect the next day, leaving professionals to scramble to make sure they are in compliance. Major features of the law include: An exemption for Malaysia’s federal and state governments, a category of personal data that is considered so sensitive that it requires explicit consent, cross-border transfer restrictions and criminal penalties of up to $156,000 and imprisonment of up to three years. [Hunton & Williams’ Privacy and Information Security Law Blog]

Privacy (US)

US – Site Settles After State Alleges COPPA Violation 

New Jersey has reached a settlement with a California app developer who allegedly violated COPPA by collecting the personal information of customers, which included children. Dokogeo has agreed to pay the state $25,000, but that payment will be suspended for 10 years and voided if the company complies with the settlement’s terms, which include Dokogeo’s disclosure of the type of information it collects on its apps and website and how it shares data with third parties. Meanwhile, attorneys at Reed Smith discuss the increasing attention state Attorneys General are paying to privacy lately. []

US – Apple Wins iPhone Privacy Lawsuit Dismissal

A federal judge has dismissed a lawsuit that accused Apple of not complying with the privacy promises it makes to iPhone and iPad users. The class alleged the company violated its privacy policy by allowing unique identifiers to be shared with third parties, thereby compromising user privacy. U.S. District Court Judge Lucy Koh ruled consumers failed to show they had read the privacy statements prior to purchasing the devices and none had submitted evidence they “read or relied on any particular Apple misrepresentation regarding privacy.” [MediaPost]

US – Data Broker Settles With NJ Attorney General

A firm specializing in the tracking of car buying has settled charges with New Jersey’s attorney general after it was accused of using code to identify websites visited by its customers without their knowledge or consent and selling the harvested data. At least 181,000 consumers were affected. The Tennessee-based data broker in question, Dataium, has been fined $99,000, payable over the next two years, and will be liable to pay a suspended amount of $301,000 if the company fails to comply with the settlement over the next five years. New Jersey Division of Law Director Christopher S. Porrino said, “Dataium allegedly used software code to track the websites visited by consumers without their knowledge or consent. The company also allegedly transferred the personal information of 400,000 consumers to one of the largest data brokers in the world.” Meanwhile, the city of San Diego, CA, has settled with a family after their DNA was swabbed without their consent by police. [InformationWeek]

US – ProPublica Hires Angwin to Investigate Privacy Issues

ProPublica has announced the hiring of investigative journalist Julia Angwin of The Wall Street Journal to cover privacy, technology and the surveillance state beginning early in January. Beginning in 2010, Angwin led a team of reporters to chronicle online privacy issues in The WSJ’s “What They Know” series. She is also the author of the forthcoming Dragnet Nation: A Quest for Privacy, Security and Freedom in a World of Relentless Surveillance. “Julia brings with her a magnificent portfolio of work, and she will be a stellar addition to our staff,” said ProPublica Managing Editor Robin Fields. [ProPublica]

US – Opinion: NSA Dragnet “Violates the Spirit of Framers’ Intentions”

Sens. Ron Wyden (D-OR), Mark Udall (D-CO) and Martin Heinrich (D-NM) write that, “The bulk collection of Americans’ telephone records—so-called metadata—by the National Security Agency (NSA) is, in our view, a clear case of a general warrant that violates the spirit of the framers’ intentions.” The senators opine that there’s no proof of the program’s usefulness in protecting national security and call for an end to it while promoting their Intelligence Oversight and Surveillance Reform Act and expressing disappointment with the Intelligence Committee for rejecting the act in multiple forms. Meanwhile, some are questioning the credibility of the Review Group on Intelligence and Communications, which will soon deliver a report on the NSA’s surveillance activities, saying it is made up of administration insiders. [The New York Times]

WW – Twitter Encrypts; Zuckerberg Says Gov’t “Continuing to Blow It” on Privacy

Twitter has announced it has encrypted its services to protect user data from cyber criminals and intelligence agencies. Lawyers for Lavabit—which closed its e-mail services rather than share master encryption keys with the government—have filed a reply brief in a case that may determine whether a company must be compelled to turn over such keys. Lavabit Founder Ladar Levison recently spoke about his experience with The Privacy Advisor. Meanwhile, the NSA’s John Inglis said he is skeptical about the NSA sharing the vast troves of data it collects with other federal agencies such as the FBI or DEA—indicating he does not agree with a reform bill proposed by Sen. Diane Feinstein (D-CA). The Wall Street Journal reports that a federal judge appears to be “receptive to critics” of the NSA’s collection of phone metadata, but one federal lawyer has argued that Americans have “no expectation of privacy” in making phone calls. And on ABC’s This Week , Facebook CEO Mark Zuckerberg said the U.S. is “continuing to blow it” on privacy issues. [Full Story]

US – BBB: Ad Campaign Violated Industry Code

The Better Business Bureau has said a genetic testing company’s recent online ad campaign didn’t comply with the ad industry’s privacy code. Company 23andMe retargeted users who had visited 23andMe’s website, according to the report, but the ads lacked the AdChoices icon, which allows users to opt out of behavioral advertising. The company as well as its ad-campaign agency and the platform used all said they expected the other to serve the icon. The failure “highlights the need for greater awareness and vigilance from all companies that comprise this diverse and interdependent ecosystem,” the Better Business Bureau said in a statement. [MediaPost News]

US – FTC Announces New Chief Technologist, Senior Advisor Privacy/Security

The FTC has announced the appointments of Harvard University Prof. Latanya Sweeney as chief technologist and University of Pennsylvania Wharton School Assistant Prof. Andrea Matwyshyn as a senior policy advisor on privacy and data security issues. “I am delighted to welcome Latanya to the FTC. She has done groundbreaking work in the anonymization of sensitive consumer information and privacy technology, and I look forward to the contributions she will make to the FTC’s efforts to protect consumers,” said Chairwoman Edith Ramirez, adding, “Andrea is a rising academic star whose insights on the intersection of technology innovation and data privacy and security law will be enormously valuable to the FTC’s efforts to protect consumer privacy while promoting innovation. [Full Story]

Privacy Enhancing Technologies (PETs)

WW – Will the Internet Become Private as a Standard?

The Internet Engineering Task Force (IETF) has asked the architects of Tor, a privacy-protecting web-browsing tool, to discuss the idea of using their product to make private web browsing the Internet standard, Salon reports. “Collaborating with Tor would add an additional layer of security and privacy … that goes beyond encrypting your communications,” the report states. Andrew Lewman, executive director of Tor, says the idea is “worth exploring to see what is involved. It adds legitimacy; it adds validation of all the research we’ve done”; however, he adds, “The risks and concerns are that it would tie down developers in rehashing everything we’ve done, explaining why we made decisions we made. It also opens it up to being weakened.” Meanwhile, new app Aether is an encrypted network that lets people share content anonymously. [Full Story]

WW – Software Aims to Protect Social Media Content

Managing social media privacy settings might become easier due to software that can suggest privacy settings for content you share with different groups. The software uses data-mining techniques to analyze the structure of users’ social network and then predicts what kind of privacy they would choose, the report states. It was developed by researchers at Penn State and the Missouri University of Science and Technology, and its developers say the software is 77%- accurate in guessing what kind of privacy people would assign each piece of content. [MediaPost]

EU – EuroPriSe Seal To Change Hands January 1

The German data protection authority that operates the EuroPriSe privacy certification seal, the Independent Centre for Privacy Protection Schleswig-Holstein (ULD), announced this month that it is transferring operations to a new entity to be known as EuroPriSe GmbH as of January 1. This, said Thilo Weichert, head of ULD, will allow the program to grow in a way that was not possible as part of a regulatory body like ULD. Jurgen van Staden of 2B Advice explains the new organization will allow for extending certifications to a much larger group of methods, concepts, people, training sessions and websites “in accordance with the tried and tested certification structure EuroPriSe experts and customers have come to know.” [Privacy Advisor]

WW – LG Investigating Reports of Smart TV Data Snooping

LG is looking into reports that some of its Smart TVs are gathering information about customer viewing habits and sending the data back to the manufacturer. The activity reportedly occurs even when customers have turned on certain privacy settings. A recent blog (link in BBC story) said that the TVs gather data about which channels customers watch and what devices are connected to the television. The blogger found that an option allowing collection of viewing data was on by default, but even after he switched it off, the information was still being sent, although a flag in the data indicated that he had changed that preference. A second blogger says that LG Smart TVs share not only that information but also the names of files shared on home and office networks. Asked for comment, LG responded, “Customer privacy is a top priority at LG Electronics and, as such, we take the issue very seriously. We are looking into reports that certain viewing information on LG Smart TVs was shared without consent.” [CNET UK] [BBC] [Ars Technica] [Ars Technica] [Opinion: TV’s Rollout Shows Lack of PbD, Transparency]

WW – LG Plans To Update Firmware Following Smart TV Allegations

Following a UK blogger’s allegations that smart TVs are collecting user data on such details as what channels are watched and the names of media files streamed over networks, LG has responded saying that the information collected was “not personal but viewing information.” The company said it has verified that even when the Smart TV platform is turned off by the user, information apparently continues to be transmitted, though the data is not retained by the server. “A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted,” the company said. [CNET]

WW – Open-Sourced Router Privacy Project Unveiled

Embedded systems design company Redfish Group has launched an open-sourced router project to help protect online privacy. Called ORP1, the project aims to protect the privacy of users across all their devices located within their homes. ORP1 is set to feature a user-friendly interface with an OPSec virtual privacy network and Tor server, the report states. Redfish Managing Director Justin Clacherty said, “I’ve really wanted to get an open networking platform out there for a while now, and we just felt that a router was the way to go, especially with all the NSA revelations and people’s worrying about the different U.S. tech companies providing equipment to us, which may have backdoors.” [ZDNet]

US – Washington’s Complex Approach to Data Brokers

Politico reports on two current government investigations into data brokers and what those could mean for the federal government’s approach to the industry. The FTC and the Senate Commerce, Science and Transportation Committee are each conducting separate investigations. It is not yet known when results will be arrive, the report states. FTC Commissioner Julie Brill has been promoting her Reclaim-Your-Name concept , a one-stop shop for consumers to access their online profiles compiled by data brokers, but the marketing industry is pushing back. Direct Marketing Association Vice President for Government Affairs Rachel Thomas said, “We don’t believe a one-stop, one-size-fits-all web portal with every data broker in the world is going to be something that actually increases consumer understanding in the way that is necessary.” [Politico]

WW – How To Do PbD in Predictive Analytics

IBM Fellow and Entity Analytics Group Chief Scientist Jeff Jonas discusses his involvement with Privacy by Design and how he integrated it into new predictive analytics software. Jonas has created technology that allows businesses to collect and analyze data from multiple sources in real time to help make “smart” decisions. He said, “One of my goals in the use of Privacy by Design in the G2 project was what kind of privacy features can I bake in that cost no more? In other words, they’re by default. They’re built in. In fact, a few of them, you can’t even turn them off. That way, someone’s not left there with a decision, ‘Yeah, we trust ourselves. I don’t have to pay extra for a privacy feature. I’d rather just buy more disk space.’” [Data Informed]


US – Technology Council Report Says Govt Needs to Improve Cybersecurity

A report from a presidential technology council says that the US government is not setting a good example in cybersecurity. According to the report from The President’s Council of Advisors on Science and Technology, “the Federal Government rarely follows accepted best practices.” The report’s “Overarching Finding” reads: “Cybersecurity will not be achieved by a collection of static precautions … [but instead] requires a set of processes that continuously couple information about an evolving threat to defensive reactions and responses.” Among the report’s recommendations is that Internet service providers (ISPs) increase their real-time threat response. [Ars Technica] [SC Magazine] [Report]

US – Will A Not-So-Friendly R2-D2 Be Your Next Security Guard?

“The night watchman of the future is five feet tall, weighs 300 pounds and looks a lot like R2-D2—without the whimsy.” A California company’s mobile robot. Knightscope’s K5 Autonomous Data Machine, was unveiled, developed “as a safety and security tool for corporations, as well as for schools and neighborhoods,” the report states. Some see such a move as “an entry point to a post-Orwellian, post-privacy world,” the report states, quoting the Electronic Privacy and Information Center Marc Rotenberg as saying, “This is like R2-D2’s evil twin.” [The New York Times]

UK – Air Passengers Allowed to Refuse Scanners as More Are Installed

Security scanners are currently in use at 10 of the UK’s busiest airports and are being deployed at 11 more, according to Transport Secretary Patrick McLoughlin. At the same time, passengers are now being offered alternate options after refusing to go through the scanners, while previously they were simply not allowed to fly. “From today, passengers who opt out of being screened by a security scanner will be allowed a private search alternative. This is a method of screening which we consider is of an equivalent security value to a security scan,” McLoughlin said. [Computerworld UK]

WW – Companies Largely Support BYOD, Lack Sufficient Policies for IT

While the majority of IT specialists say their companies support bring-your-own-device (BYOD), a recent survey indicates they don’t use tools or policies to protect corporate data, Bank Systems & Technology reports. The Zix Corporation and Ponemon Institute survey found that 56% of respondents say their companies seek to replace current BYOD solutions. “Companies are swiftly adopting BYOD to enable work productivity and create efficiencies but are hitting significant road bumps in cost, security and employee concerns,” said the Ponemon Institute’s Larry Ponemon. Meanwhile, one security expert cautions against the pitfalls of BYOD policies, including a once-size-fits-all approach. [Full Story]

US – NIST Holds Last Workshop Before Cybersecurity Framework Becomes Final

The National Institute of Standards and Technology held its fifth workshop on President Barack Obama’s executive order for a cybersecurity framework, the last before the framework is due to be finalized in February. The workshop was intended to solicit feedback from stakeholders. While many expressed enthusiasm about the swiftness with which the framework has moved from concept to model, there are still questions on how to apply the framework and what adoption will look like. “From my perspective, the framework should be used as a guidance,” said AT&T’s vice president of global public policy. [Computerworld]

US – US Defense Contractors Now Required to Implement Security Standards

The US Department of Defense (DOD) will now require contractors to implement “established information security standards” on all classified and unclassified networks. Companies contracted to make weapons for DOD will be required to report all network security breaches “that result in the loss of unclassified controlled technical information.” The requirements will be built into contracts. [The Hill] [Yahoo! ] NextGov] [Defense Federal Acquisition Regulation Supplement: Safeguarding Unclassified Controlled Technical Information]


US – FAA Unveils Privacy Rules for Test Sites

The Federal Aviation Administration (FAA) has issued privacy requirements for U.S.-based drone testing sites. Earlier this year, the FAA announced there will be six drone testing sites to help integrate the technology into the National Airspace System. Some have questioned whether the agency has the authority to issue privacy requirements. One commenter said, “Existing privacy laws are sufficient to cover the responsible use of (drones). There already exist federal, state and other laws that protect privacy … tort law may also provide avenues of recourse for plaintiffs to protect their privacy rights.” The ACLU’s Chris Calabrese said the government has taken an “important step” by issuing the requirements, but added, “Congress must also weigh in on areas outside the FAA’s authority…” [Courthouse News Service]

US – Amazon Envisions Eventually Delivering Packages in 30 Minutes Via Drones

On 60 Minutes, Amazon CEO Jeff Bezos unveiled plans to use unmanned aerial vehicles (UAVs) to deliver packages to customers. University of Washington Law Prof. Ryan Calo said this is the type of commercial application Congress envisioned when it ordered the Federal Aviation Administration (FAA) to open up airspace to the technology. “By 2015, the FAA has to come up with a set of rules that integrates just the kind of thing that Amazon is talking about,” said Calo, adding that the agency may initially require humans to guide the UAVs remotely. [The Washington Post] [60 Minutes]

US – Data Broker Settles With NJ Attorney General

A firm specializing in the tracking of car buying has settled charges with New Jersey’s attorney general after it was accused of using code to identify websites visited by its customers without their knowledge or consent and selling the harvested data. At least 181,000 consumers were affected. The Tennessee-based data broker in question, Dataium, has been fined $99,000, payable over the next two years, and will be liable to pay a suspended amount of $301,000 if the company fails to comply with the settlement over the next five years. New Jersey Division of Law Director Christopher S. Porrino said, “Dataium allegedly used software code to track the websites visited by consumers without their knowledge or consent. The company also allegedly transferred the personal information of 400,000 consumers to one of the largest data brokers in the world.” Meanwhile, the city of San Diego, CA, has settled with a family after their DNA was swabbed without their consent by police. [Information Week]

WW – Suspicious Internet Route Hijacking Raises Concerns

Earlier this year, researchers began noticing suspicious activity called route hijacking, a type of man-in-the-middle attack on Internet traffic. The technique routes the traffic through countries around the world where it could be inspected and possibly altered before being sent on to its final destination. Internet traffic by its very nature can travel widely and by what would not appear to be the most direct path, but the recent attacks indicate that the traffic is deliberately being routed in certain ways. In some cases, large chunks of traffic from financial institutions, government agencies, and service providers in several countries have been routed through servers in Iceland and Belarus. [Ars Technica] [NBC News]

Telecom / TV

US – Investors Want AT&T, Verizon to Share Gov’t Requests

Investors have asked AT&T and Verizon to reveal what data was shared with U.S. and foreign governments and what measures were taken to protect users’ privacy. New York State Comptroller Thomas DiNapoli said, “Transparency allows investors to make informed decisions about corporate behavior … Publishing regular reports on requests for information from governments would be an appropriate response to shareholder and customer concerns about trust and privacy in the digital world.” A spokesman for AT&T said, “As standard practice we look carefully at all shareholder proposals, but at this point in the process we do not expect to comment on them.” Meanwhile, newly released FISA court documents reveal that the NSA shared bulk e-mail and phone records data with other government agencies, a violation of court-ordered procedures, The Guardian reports. [Bloomberg]

US Government Programs

US – U.S. Accountability Office Calls for Baseline Privacy Legislation

The Government Accountability Office (GAO) has released a report calling for a comprehensive federal law governing the collection, use and sale of personal data by businesses. The report was called for by Sen. Jay Rockefeller (D-WV) earlier this year. The GAO analyzed current law, regulation and enforcement actions and convened with representatives from government, advocacy groups, trade associations and data broker organizations, concluding, “Congress should consider strengthening the current consumer privacy framework to reflect the changes in technology and the marketplace, particularly in relation to consumer data use for marketing purposes.” The Direct Marketing Association (DMA) said, “While we do not share the GAO’s opinion … DMA was pleased to see that the report recognized the important economic benefits that derive from the responsible use of consumer data…” [AdWeek]

US – Six Practical Tips Gleaned from the DHS Annual Privacy Report

Privacy sector folks might think they don’t have much to learn from the Department of Homeland Security Privacy Office’s 2013 Annual Report to Congress, but you may find that the report contains plenty of relevant and useful information to help you manage your organization’s privacy program. Dennis Holmes tackles the task of analyzing the 86-page report and bubbling up the six practical tips most likely to give your program a boost. [Privacy Perspectives]

US Legislation

US – Pennsylvania Senate Committee Amends Proposal for DNA Database

The Pennsylvania Senate in June passed a proposal allowing police to collect and retain DNA from anyone arrested for a felony or misdemeanor, expanding the current law which allows for DNA collection from those convicted of a “serious felony.”. However, the House Judiciary Committee amended the bill before approving it to address concerns that the bill was too broad. One amendment would stop police from entering DNA data into any state or national database until a suspect is “held for court at a preliminary hearing or waives his right to the hearing,” the report states. Another makes it easier for those determined innocent to have their DNA records expunged. One ACLU representative says the amendments don’t go far enough. [The Sentinel]

US – NJ Social Media Privacy Law In Effect, NYC Debating Its Own

On the heels of New Jersey’s Social Media Privacy Law going into effect, the Staten Island City Council is looking at a bill that would provide similar protections for employees and potential employees. Councilwoman Debi Rose (D-North Shore) one of the bill’s sponsors, said it “would eliminate the ability of an employer to demand or retaliate against failure to divulge a job applicant’s or employee’s private social media account information,” adding, “Privacy rights in this technological age must be protected. Information that is
not available to the rest of the public cannot be demanded by an employer and should not hinder an individual’s prospective or current employment.” [SI Live]

US – Disparate State Laws = Breach Response Confusion, Unprotected Subjects

While companies work to navigate disparate state breach laws, plaintiffs’ lawyers are on the hunt for the next “mega lawsuit, and data privacy looks very promising with its litigation trifecta: major consumer exposure, complex and increasingly antiquated state and federal data privacy laws, and ever larger and more frequent data breaches.” Standardizing and modernizing data breach laws is the first step to protecting consumers and organizations, according to the report, noting that “as companies constantly work to keep one step ahead of the bad guys, the goal should be to achieve real data security with legal clarity, rather than another big payday for the plaintiffs’ bar.” [Mondaq]

US – VT Supreme Court Rules No Privacy on Workplace Computer

In a case that involved Rutland Police Department employees viewing and sending pornography on work computers while on duty, the Vermont Supreme Court ruled that the employees had no right to privacy. Additionally, because the computers were city property and the employees were on duty, there was no basis to redact personally identifying information from the records. The report from HR.BLR.comincludes major takeaways from the decision, including that “personal information about public employees may be disclosed if the broad public interest served by the disclosure outweighs individual employees’ expectations of privacy.”

US – FTC v. Wyndham: Round One

Last week, FTC v. Wyndham, a privacy case that commands the close attention of thousands of privacy professionals worldwide, challenging a decade of escalating Federal Trade Commission activity in the field of data security, went to oral arguments on the defendant’s motions to dismiss. Wyndham Worldwide Corporation was charged in June 2012 for “unfair and deceptive acts and practices” arising from alleged data breaches in its franchisees’ computer systems. In this exclusive for The Privacy Advisor, IAPP Westin Fellow Kelsey Finch examines this case, where the company is disputing whether “its failure to safeguard personal information caused substantial consumer injury,” and perhaps more importantly, whether the FTC even has the authority to regulate data security. [Full Story]

US – How To Handle California’s New DNT Law

Last month, California passed a new amendment to the California Online Privacy Protection Act (CalOPPA) that requires companies that collect personal information from Californians to address how they respond to Do-Not-Track (DNT) signals from browsers in their online privacy policies. According to Stephanie Sharron and Emily Tabatabai, the legislation “may raise as many questions as it answers,” because, due to the lack of consensus from the W3C, “companies are required to disclose how they respond to a browser’s DNT signals, when there is no consensus on what the DNT signal means in the first place.” So what are companies to do? Discover practical options in this Privacy Tracker blog post. [Full Story]

Workplace Privacy

US – Study Finds Hiring Discrimination Based on Social Media

A Carnegie Mellon study that found many businesses use social media to look up job applicants and suggests they use such data to discriminate. The study revealed that between 10% and one-third of U.S. firms searched social media to check on job applicants early in the hiring process. One of the study’s authors, Alessandro Acquisti, said, “By and large, employers avoid asking questions about these traits (such as religion or sexuality) in interviews,” adding, “But now technology makes it easier to find that information.” Meanwhile, The Atlantic’s featured article for December reports on the now common combination of Big Data analytics and human resources—also known as “people analytics”—and the way it’s transforming how employers hire, fire and promote employees. [The Wall Street Journal]

EU – Prosecutors Investigating IKEA Execs for Data-Spying

Prosecutors in France are investigating three senior IKEA executives amid allegations they authorized illegal spying on employees and customers. Chief Executive Stefan Vanoverbeke and two others were possibly involved in a “conspiracy to collect a range of personal information including criminal records, automobile registrations and property records,” the report states. According to prosecutors, the executives collected such data in order to watch employees and also reveal “unflattering details” about customers bringing lawsuits. IKEA France has been ordered to post a bond of 500,000 euros. [The New York Times]

US – Officers May Be Tracked Via GPS-Equipped Cars

Boston, MA, police officers are worried that their superiors will be tracking their every move now that Boston police cruisers are likely to be equipped with GPS tracking devices. Administrators say the devices will allow dispatchers to view where officers are located rather than waiting for a radio response, accelerating response times to crimes. The plan awaits the approval of the City Council. “Nobody likes it. Who wants to be followed all over the place?” one officer said. Officers would be alerted if someone from the public requested GPS records. Meanwhile, developers of license-plate tracking technologies are developing rich databases, the contents of which are sometimes for sale. [The Boston Globe]


01-15 November 2013


CA – Canadian Minister: Province to Address Gap

Saskatchewan Justice Minister Gord Wyant has said the government must address a “gap” in privacy protection for private-sector employees. “We, like Ontario and the eastern provinces, have relied on the federal legislation with respect to privacy matters in the private sector,” Wyant said. Referencing calls for change by Saskatchewan Information and Privacy Commissioner Gary Dickson, Wyant added “there’s a little bit of a gap when it comes to that area.” To address the issues, he said, “We’ve consolidated all the labour legislation into one piece, and we think that there’s a possibility of perhaps bringing some regulations forward under the employment act to cover off that issue.” [The Regina Leader-Post]


WW – Brick-and-Mortars Catch Up on Customer Tracking

Brick-and-mortar retailers are using face scanners in an effort to improve such things as staffing, layout and marketing. Many businesses, aware of consumers’ reticence to be tracked, promise to only use the data in aggregate unless consumers give their consent. Shoppers are also increasingly asked to sign up for loyalty card programs that would allow the retailer to track them in exchange for discounts. “They are just trying to get real smart with data in the way the e-commerce guys are smart with data,” said the head of one tracking-device manufacturer. But the chief executive of a customer science company said, “Too much is happening without consumer consent.” [Reuters] See also: [Pandora Looks Past the Tracking Cookie by Mining User Data]

WW – Survey: Shoppers Unsure About Tracking-for-Coupons Model

While consumers are becoming more aware that they may be tracked as they walk around brick-and-mortar stores, “plenty still feel uncomfortable about it.” That’s according to a survey that found that nearly half of respondents said they would find it invasive if a store sent them a text-messaged coupon as they walked past that store. But only 35% said they found it invasive for a website to know their geographic location, suggesting “people are less comfortable being tracked on their mobile devices in a store than as they surf around the web,” the report states. [PC World]

US – Netflix Plaintiffs Say Settlement Doesn’t Help Them

Netflix users are asking the Ninth Circuit Court of Appeals to vacate a settlement that would see the company donating millions of dollars to nonprofits. The users say the settlement doesn’t benefit them, stating they were affected by a privacy glitch in which Netflix allegedly held on to subscriber names after they had cancelled their memberships, a violation of the Video Privacy Protection Act of 1998. Netflix has denied violating the law but agreed to destroy the personal information and says the $9 million settlement is in line with privacy settlements by Facebook and Google. [MediaPost]

Electronic Records

US – Are There “Limitless” Privacy Risks to New Health Exchanges?

A government report on the Affordable Care Act health insurance exchanges details the “high risks” and potential “limitless” privacy concerns with the site. One key official in the Obama administration testified earlier this month that he was not copied on the memo detailing the risks. Centers for Medicare and Medicaid Services Deputy Director and Deputy Chief Information Officer Henry Chao, who “is in charge of … the operations of the agency’s information systems security program,” said, “It is disturbing” that he was not copied on the memo, adding, “This is … a fairly nonstandard way to document a decision.” [Forbes]

US – EHRs Make Audit Trails Much Easier To Follow

Electronic health records have made catching unauthorized viewers much easier. And that has illustrated the frequency with which unauthorized access occurs, such as last month’s notification by Minnesota’s Allina Health System that 3,800 patients’ personal health data had been breached by a medical assistant who had been improperly accessing the information for three years. The Department of Health and Human Services reports that since 2009, 27 million individuals have had their personal health data compromised. [Healthcare IT News]


WW – Microsoft Does Not Encrypt Server-to-Server Traffic

A Microsoft executive told members of the European Parliament that the company does not encrypt server-to-server data traffic. Dorothee Belz, Microsoft EMEA VP for Legal and Corporate Affairs said that the company is “currently reviewing [its] security system.” Belz appeared before a European Parliamentary committee with representatives from Google and Facebook. Earlier, she had stated that Microsoft did not allow “direct access” to its servers. The revelation about the unencrypted traffic between Microsoft servers follows close on the heels of leaked documents that indicate the NSA and GCHQ tapped into such connections between Google data centers to access data. [Ars Technica] [The Register]

US – Exclusive Interview with Lavabit Founder on the Day the FBI Came Calling

Ladar Levison remembers June 28 pretty well. Temperatures reached 108 degrees in Dallas, TX, and Sandra Bullock’s The Heat was released nationwide. But Levison was feeling a different kind of heat that day when the FBI showed up unannounced at his Dallas apartment and told him they wanted access to his company’s computer system—a system he’d designed specifically to protect his customers from the threat of surveillance. The Privacy Advisor describes his legal ordeal and his new business venture, one he hopes protects data in a way his last service, in the end, did not. [Privacy Advisor]

US – US Justice Dept. Files Brief in Lavabit Appeal

The US Justice Department has filed an appellate brief in the Lavabit case. The government maintains that Lavabit founder Ladar Levison’s promise of security to his customers does not exempt him or his company from having to comply with court orders. According to the brief, DOJ wanted the metadata from a single Lavabit account. (Although the investigation’s target is not specified, it is widely believed to be Edward Snowden.) The DOJ dismissed Levison’s concerns that it would use the SSL key it sought to peruse accounts of other Lavabit users. [WIRED] [ComputerWorld]

EU Developments

EU – Reding Says Data Protection Outside of TTIP’s Scope, Calls for an EU NSA

Officials in Brussels say Germany’s plan to push for tough data protection controls for the Transatlantic Trade and Investment Partnership is a “big surprise.” [Reuters] Despite a push from Germany to include data protection rules within the Transatlantic Trade and Investment Partnership in the wake of U.S. spying revelations, European Commission Vice President Viviane Reding says data protection is outside of the EU-U.S. pact’s scope. “The commission’s view and the position taken by all leaders at the recent European Council is clear: Let’s not mix up the phone tapping issue with the ongoing trade talks,” Reding said. Reding has also called for the EU to create its own intelligence agency by 2020 in order to “level the playing field” with the U.S. Meanwhile, U.S. Attorney General Eric Holder says the U.S. is taking note of Europe’s concerns. [Financial Times]

EU – Court Rules Google Must Remove Images from Search Results

A French court has ruled Google must remove compromising photos of a Formula One car racing chief from its Internet search results. The ruling follows Max Mosley’s lawsuit aiming to force Google to filter images that were originally published in a British newspaper. Mosley claimed French law forbids taking and distributing images of someone in a private space without permission, while Google argued freedom of speech. Google says it will appeal the decision. “At this point in time, the pendulum is swinging toward individuals’ privacy and away from freedom of speech,” said one privacy analyst. [The Economic Times

UK – ICO: Cookie Replacements Must Follow Rules

The UK Information Commissioner’s Office (ICO) has acknowledged that it’s aware of initiatives to forego cookies for new tracking technologies and says these new technologies will need to abide by the same rules as cookies. Encouraging a Privacy by Design approach, an ICO spokesperson said companies must be upfront with customers and offer “users a clear choice as to the options available to them.” Meanwhile, Mozilla’s plans to automatically block certain cookies in its browser are on hold after it announced plans to work with the Cookie Clearinghouse initiative at Stanford University on a “more nuanced approach.” The organization now says it’s unsure whether it will adopt the feature. []

EU – Garante Provides General Rules Following Outsourcing’s Growth

Following the growth of the outsourcing of call center services outside the EU, the Italian Data Protection Authority, the Garante, is providing its general rules to protect the privacy of Italian citizens. “At the end of a complex investigation, the Garante stressed the rules to be applied to both companies and government agencies, whose customer care or call centers are located outside the EU.” [Full Story]

EU – Garante, DIS Enter Cooperative Protocol

The Garante, Italy’s data protection authority, and DIS, the country’s intelligence department, have entered into a cooperation protocol. “This is an extraordinary agreement entered into by very key sensitive functions of the Italian State and a great signal of transparency for the world in reply to all worrying news on Datagate we daily read on newspapers or on the Internet.” “At the same time this is a proof of evidence that a different model of cooperation on the ground of the intelligence services is possible. Citizens have to believe that another world is possible and their rights might be protected together with their security and safety.” [Privacy Advisor]

EU – Regulation Implementation May Come Sooner Than 2015 After All

The European Commission is prepared to ignore attempts to delay implementation of the proposed data protection regulation. Instead, the commission plans to push toward implementing the regulation by spring of 2014, despite conclusions adopted at the summit last week suggesting the regulation be introduced by 2015. Financial Times reports the vote’s delay until at least next year, should that come to pass, is an “important victory” for U.S. tech giants who will need the time to bolster their case for a watered-down version of the reforms while the heated climate surrounding U.S. surveillance revelations cools down. [EurActiv]

UK – Message-Sender Successfully Appeals 300,000 GBP Fine

Christopher Niebel has successfully appealed a 300,000 GBP fine for sending spam text messages after challenging “whether the Information Commissioner’s Office (ICO) was right to issue him with a fine for his part in what the ICO considered was a serious breach of UK privacy laws.” Niebel and fellow Tetrus Telecoms co-owner Gary McNeish were fined a combined 440,000 GBP by the ICO last year “for breaching the UK’s Privacy and Electronic Communications Regulations (PECR) for engaging in unsolicited direct marketing activities.” However, an Information Rights Tribunal upheld Niebel’s appeal, ruling “insufficient damage or distress had been caused to recipients to merit the penalty being imposed,” the report states. []

Facts & Stats

WW – Breaches More Widespread Than Reported

A new security survey has found that 57% of malware analysts said they have worked on enterprise-related data breaches that were not disclosed. The ThreatTrack Security survey interviewed 200 security professionals. For larger businesses, with more than 500 employees, the number jumps to 66%. The reason behind not disclosing breaches may stem from attempts to save brand reputation or avoid difficult questions from customers and investors. [ZDNet]


EU – Facebook Discloses Gov’t Data Requests

A recent hearing organized by the European Parliament’s civil liberties committee featured Richard Allan, director for public policy for Facebook in Europe, who discussed the number of demands for data by EU governments. Allan said Facebook received 8,500 requests from the EU on 10,000 user accounts during the first six months of 2013. By comparison, U.S. officials made 12,000 requests for data on as many as 21,000 user accounts. Meanwhile, CIO reports on the nuances of Facebook’s updated data use policy and statement of rights and responsibilities. And a new poll indicates four out of five people have changed the privacy settings on their social media accounts, most within the last six months. [New York Times Bits]

WW – Google Transparency Report

According to Google’s most recent transparency report, the US government made nearly 11,000 requests for user information from the company in the first six months of 2013. The Indian government made 2,700 requests of Google in that same period. The company makes note of the fact that the numbers represent only those requests that they are permitted by the US government to disclose. [CNET]

US – Apple’s Transparency Report Includes “Warrant Canary”

Apple has filed its first transparency report, enumerating government requests for data from devices, iTunes, and other content services. Along with the report, Apple has filed an amicus brief with the Foreign Intelligence Surveillance Court, seeking approval to release more detailed information. Apple received the vast majority of its data requests from the US government, but also received requests from the governments of the UK, Germany, Australia, Spain, Singapore, and France. Apple’s report also includes these sentences: “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.” The statement is called a “warrant canary” because its absence from future reports would indicate that the company had received such an order. [CSMonitor] [ComputerWorld]

WW – Apple: “Our Business Does Not Depend On Collecting Personal Data”

Apple published a formal report on federal government data requests. In it, Apple says its business “does not depend on collecting personal data … We have no interest in amassing personal information about our customers. We protect personal conversations by providing end-to-end encryption over iMessage and FaceTime. We do not store location data, Maps searches or Siri requests in any identifiable form.” It adds that the U.S. government doesn’t allow it to disclose the number of national security orders “or whether content, such as e-mails, was disclosed” and that it opposes such a gag order. Earlier this week, the company lobbied for restrictions on government surveillance. [All Things Digital]

US – Is California Transparency Law Still Effective 10 Years Later?

The American Civil Liberties Union of Northern California (ACLU) has published a policy paper looking at the state’s Shine the Light law of 2003. The paper looks at whether the law, now 10 years old, is still effective in providing transparency about how businesses handle personal data. “From revelations of widespread NSA spying to high-profile data breaches, the need to know what is happening to our personal information is more important than ever,” the ACLU said. [ACLU] [Losing the Spotlight: A Study of California’s Shine the Light Law]


WW – Microbe Research Raises Privacy Concerns

NPR reports on the American Gut Project , a “citizen science,” crowd sourced, microbiome initiative designed to help scientists learn more about the friendly and dangerous microbes living in and around the human body. Organizers of the project need reams of personal information—including swabbed samples and detailed logs of a subject’s daily diet—to help illuminate the research, but some bioethicists are expressing privacy concerns. One expert said, “If you have privacy concerns at all, you shouldn’t do it.” Though the information is confidential, there’s no guarantee that it will be protected and it’s possible that a volunteer’s DNA samples might inadvertently become public, the bioethicist noted. [Source]

Health / Medical

US – Hospitals Prepare to Digitize Records for Sharing

In Texas, a new program will digitize the medical records of every hospital in the San Antonio region. The data—about 600,000 records in total—will eventually be shared in real time with hospitals, doctors and patients themselves. Patients are permitted to opt out if they wish. Meanwhile, VMware has announced a new service aimed at helping with HIPAA security requirements by providing Business Associate Agreements. “The healthcare IT industry needs trusted, reliable and stable business associates that will help address the appropriate administrative, physical and technical safeguard requirements under HIPAA security rules,” said the chief information officer at Hackensack University Medical Center. [Texas Public Radio]

US – Breach Settlement First to Award Plaintiffs Who Aren’t ID Theft Victims

Health coverage company AvMed last week reached a $3 million data breach settlement that allows plaintiffs who didn’t suffer identity theft to claim funds. A report from Becker’s Hospital Review notes that it is the first breach case to extend payments to plaintiffs who were not victims of identity theft. “Settlements for data breach class actions have traditionally not extended payments to class members who have not experienced any fraud or identity theft. Here, though, that is exactly what the sides agreed to, whereby payments will be made to all class members who purchased insurance, even absent any fraud or identity theft,” states Reed Smith’s Global Regulatory Enforcement Law Blog.

Horror Stories

US – One Million Affected in Software Company Site’s Hack

Internet security firm Hold Security says it has discovered that a limousine software company has been hacked, resulting in credit card numbers and other details on close to one million customers being exposed. Jonathan Mayer, a cybersecurity fellow at Stanford University, said Corporatecaronline’s website was running outdated software that made it vulnerable, but “you don’t have to be a big target to be at risk online anymore. This is the new normal, and it underscores the need for improving the regulatory framework.” [Detroit Free Press]

EU – Loyaltybuild Data Breach Affects More Than One Million People

More than 1.5 million Europeans have had personal information compromised by a security breach at Loyaltybuild, a company that manages customer loyalty programs across Europe. International security firm Garda has launched an investigation into the incident, which saw nearly 400,000 individuals’ credit card details exposed. Irish Data Protection Commissioner Billy Hawkes said the financial data was not encrypted. Another 150,000 individuals’ details have been “potentially compromised,” and the breach looks to be the result of an external criminal act, Hawkes said. Meanwhile, in the U.S., hundreds have been affected by a data breach dating back to 2001 in Indiana. [Irish Times] [The Register] [Irish Examiner]

Internet / WWW

WW – At Hearing, Google Says NSA Could Cause “Splinternet”

During a Senate Judiciary Subcommittee hearing on the Surveillance Transparency Act of 2013, Google Director of Law Enforcement and Information Security Matters Richard Salgado expressed concerns that the Snowden disclosures, along with gag orders placed on the company by the U.S. Department of Justice, are hurting U.S. businesses around the world economically and may cause a fractured Internet. Global reaction to the NSA disclosures “could have severe unintended consequences such as a reduction in data security, increased cost, decreased competitiveness and harms to consumers,” he said. [The Privacy Advisor].

EU – Germany and Brazil Present Internet Privacy Resolution to UN

Following reports that U.S. intelligence eavesdropped on foreign leaders—including German Chancellor Angela Merkel and Brazilian President Dilma Rousseff—both nations formally presented a resolution to the United Nations urging countries to extend internationally guaranteed rights to privacy online. Such resolutions to the General Assembly are not legally binding. The U.S. was not specifically named in the resolution. [The Associated Press]

US – NIST Looking for Advisors for Privacy Panel

The National Institute of Standards and Technology (NIST) has announced it is looking for new members to its Information Security and Privacy Advisory Board (ISPAB). The board’s objective is to identify emerging issues affecting information security and privacy and advise NIST’s leadership, the secretary of commerce and the Office of Management and Budget on such trends. A NIST notice states , “Nominees should have specific experience related to information security or privacy issues, particularly as they pertain to federal information technology.” Microsoft Chief Privacy Officer Brendon Lynch wrote about why privacy professionals are needed in the NIST framework process. [Government Security News]

US – NIST Will Review Standard Development Process

The National Institute of Standards and Technology (NIST) plans to review its standards development process. The organization hopes to restore the credibility that took a hit several months ago when news stories broke that the NSA may have included a backdoor in a NIST-approved encryption algorithm. NIST will open its process for public review as well as review by an as-yet unnamed third-party organization. In a November 1 statement, NIST wrote, “Based on the public comments and independent review, we will update our process as necessary to make sure it meets our goals for openness and transparency, and leads to the most secure, trustworthy guidance practicable.” [Ars Technica]


NZ – Parliament Considers Privacy Principles

The New Zealand Parliament is considering adopting a set of privacy principles that would help protect both MPs and journalists. Privacy Commissioner Marie Shroff, who recently reflected on the evolution of privacy in the past decade, told Parliament’s Privileges Committee “it might be useful for the Privacy Act principles to be used as some sort of a guide within the Parliamentary precinct when difficulties occur over the use of information.” With the Privacy Act and the Official Information Act already established, she suggested there is no need to “reinvent the wheel.” [Radio New Zealand]

NZ – Bill Could Put Cyber Bullies Behind Bars

A new bill being introduced in the New Zealand Parliament could see cyber bullies facing up to three years in prison. The Harmful Digital Communications Bill is backed by Justice Minister Judith Collins and would create a criminal offence for “sending messages or posting material online with intent to cause harm—including threatening and offensive messages, harassment, damaging rumours and invasive photographs,” punishable by up to three months in prison or a $2,000 fine, the report states. The bill would also establish an agency responsible for handling complaints. [The Sydney Morning Herald]

ID – Indonesia May Consolidate Privacy Law

“Indonesian data privacy protection is spread over several pieces of legislation such as the Human Rights Law, ITE Law, Code of Criminal Procedure and others,” but the government is discussing consolidating it into a single law, Lexology reports.

IN – Analysis of India’s Privacy Bill

Neeral Dubey of PSA Legal Counsellors examines The Privacy Protection Bill, 2013 for Mondaq, including the domain and protection of personal data and the punishment for offenses. “Though it has expanded the scope of sensitive personal data, it has not covered all the aspects, like, passwords or other personal details within its ambit,” Dubey writes, concluding, “Though this Bill seems to be a step in the right direction, what it can fetch is a question that remains to be answered. But that can be fathomed only once this sees the light of the day.”

Online Privacy

EU –Swiss Telecom Plans Cloud Service Hosted Entirely Within Switzerland

Swiss telecommunications company Swisscom plans to establish a “Swiss cloud” that will be hosted entirely within that country. The goal is to prevent the NSA and GCHQ from snooping on communications. (Swisscom is majority-owned by the country’s government.) Switzerland already has stringent data privacy laws in place, which is why companies that provide secure communications services use data centers there. Prosecutors must obtain court orders before conducting surveillance. [The Register] [] [Ars Technica] [Reuters]

US – MIT Launches Big Data Privacy Working Group

The Massachusetts Institute of Technology (MIT) Big Data Initiative, under its Computer Science and Artificial Intelligence Lab (CSAIL), has announced it is launching a new Big Data and Privacy Working Group to bring together industry, government and academia to address and find solutions for problems arising out of the intersection of Big Data innovation and privacy. CSAIL Principle Research Scientist Daniel Weitzner said, “The goal of the group is to encourage long-term thinking on the role of technology in protecting and managing privacy, in particular when large and diverse data sets are collected and combined,” and added, “We have a wide variety of technical approaches to privacy protection but don’t have a good handle on how they might actually work at scale or whether we need to develop new technical tools.” [MIT News]

US – Schools Share $38 Million Big Data Grant

The University of Washington, New York University and the University of California-Berkeley are sharing a $38 million grant to spread Big Data analysis skills to various professional fields. “Our goal is to figure out how to rapidly evolve universities to support and utilize data-intensive discovery,” said Ed Lazowska, eScience Institute founder and computer science professor at the University of Washington. “We have been doing this on a small scale, but now we’ll be able to work the problem at a large scale and as a collaboration among three teams that include some of the strongest faculty at some of the nation’s strongest universities.” [The Seattle Times]

US – Plaintiffs: VPPA Case Should Proceed, Even With Lack of Financial Harm

Hulu users involved in a potential class-action lawsuit are urging a federal judge to allow the case to proceed. The Hulu users have asked U.S. District Court Judge Laurel Beeler to reject Hulu’s motion to be awarded summary judgment in the case, saying that the case should proceed even if they do not prove financial harm. The class members claim Hulu violated the Video Privacy Protection Act (VPPA) by allegedly sharing user data with Facebook and comScore, but Hulu claims that consumers were not financially harmed in the case. The consumers argued, “A violation of the VPPA simply does not require a threshold showing of pecuniary damages.” [MediaPost]

US – Colleges Increasingly Checking Applicants’ Social Media Accounts

According to Kaplan research, 31% of admissions officers visited an applicant’s Facebook page or other social media account last year in determining admissions, a 5% jump over last year. The research is indicative of the increasing role students’ digital footprints play in whether or not they gain admission to college in the U.S. “To me, it’s a huge problem,” said Bradley S. Shear, a social media-focused lawyer. “Often, false and misleading content online is taken as fact.” However, we might all agree that one Bowdoin College applicant’s decision to snarkily tweet mean-spirited comments about fellow applicants while on a tour of the school was ill advised. [New York Times]

WW – Facebook Asks Adobe Users to Change Passwords

Facebook is warning users who also use Adobe that if they are using the same e-mail and password combinations on both sites, they should change that. That’s after the recent breach at Adobe in which hackers stole nearly three million encrypted credit card records and users’ login credentials. “We actively look for situations where the accounts of people who use Facebook could be at risk—even if the threat is external to our service,” said a Facebook spokesman. “When we find these situations, we present messages like the one in the screenshot to help affected people secure their accounts.” [KrebsonSecurity]

WW – Closed-Circle Feature Added to Google+

Google has added a new feature to Google+ to ensure private conversations remain private. The feature allows businesses to decide if their restricted community will be open to everyone at the company or more limited, the report states. System administrators can decide whether restricted communities will be the default, but communities open to third parties such as business partners and clients can also be created. [Think Digit]

WW – Google to Limit Windows Chrome Extensions to Chrome Web Store

in January 2014, Users of Chrome on Windows will be permitted to install extensions only from The Chrome Web Store. Currently, users are asked if they want to install extensions when they originate outside of the Chrome store, but attackers have found methods to bypass that warning mechanism. [CNET]

WW – Chrome Canary Detects Suspicious Downloads

The Canary build of Google’s Chrome browser has been updated to include functionality that detects malware attempting to download. A warning will appear at the bottom of the browser window when Canary detects an attempted malware download. Chrome Canary build is the name given to the “bleeding edge” channel of the browser, before it reaches the channel. Most features that are added to Canary do eventually appear in Dev, and then on into Beta and Stable versions of the browser. [ComputerWorld] [The Register]

WW – Firefox Beta Moves Toward Click-to-Run Default for Plug-ins

The most recent beta version of Firefox moves closer to making “click-to-run” the default status for all plug-ins. The new feature will not automatically run plug-ins when pages are opened. Instead, users will see a box warning that the plug-ins the page requires may be vulnerable. Content will display only if users explicitly allow each plug-in. The only exception will be the most recent version of Flash. Other browsers have made exceptions for Flash as well. Google bundles Flash in its Chrome browser, making sure to push out updates when available, so that users are always running the most current version. [The Register]

WW – Microsoft Updates Policy Ahead of xBox One Launch

Ahead of the launch of the Xbox One, Microsoft has updated its privacy policy to clarify how data is collected and used within gaming functions. While Xbox One uses facial recognition to log in users, the data doesn’t leave the console and can be deleted at any time. However, users “should not expect any level of privacy” when it comes to live communication features like chat and video during live-hosted game sessions. Microsoft reserves the right to monitor those communications “to the extent permitted by law.” Users are permitted to disable targeted ads and tracking through an opt-out page. [Ars Technica] See also: [Will Kinect 2.0 and COPPA Play Well Together?]

Other Jurisdictions

BR – Brazil Calls for End to “Excessive Electronic Surveillance”

Following the country’s outrage over the U.S. National Security Agency’s (NSA) spying scandal and calls for new legislation, Brazil has put forth a resolution calling for an end to excessive electronic surveillance. Brazilian President Dilma Rousseff, who canceled a trip to Washington, DC, following reports that the NSA had intercepted data from her office, said the U.S. has broken international law. “Friendly governments and societies that seek to build a true strategic partnership, as in our case, cannot allow recurring illegal actions to take place as if they were normal,” Rousseff said. “They are unacceptable.” [BBC News]

KZ – Kazakhstan Privacy Law Coming Into Effect Soon

Kazakhstan’s data privacy law, On Personal Data and Their Protection, goes into effect on November 26, making it the second country in Central Asia to enact a privacy law, reports Hunton & Williams’ Privacy and Information Security Law blog. The new law will work with the existing sectoral regulations and, while no English translation is available, according to the report, analyses suggest it applies to both public and private sectors.

CN – China Amends Consumer Protection Law

The Standing Committee of the National People’s Congress of the People’s Republic of China passed an amendment to the P.R.C. Law on the Protection of Consumer Rights and Interests, reports Hunton & Williams’ Privacy and Information Security Law Blog. The amendments will take effect on March 15 and include increased penalties for violations of consumer rights, a new rule on punitive damages and a ban of unauthorized disclosures of consumer personal information, among others.

BR – Brazil to Consider Online Privacy Bill

Brazil will take up an online privacy protections bill that business groups fear will stymie the free flow of data. The bill, to be considered by Brazil’s Chamber of Deputies this week, would create restrictions on how Internet service providers use Brazilians’ personal data and would require companies to build local data centers in order to do business in Brazil. “Global data flows rely on data centers dispersed all over the world,” wrote a group of 47 industry reps from the U.S., Brazil, Europe and Japan to Brazil’s National Congress. “Thus, in-country data storage requirements would detrimentally impact all economic activity that depends on data flows.” A vote could take place Monday. [Politico]

Privacy (US)

US – Judge: Peer-to-Peer Data Isn’t Protected Under Fourth Amendment

A federal judge in Vermont has ruled there can be no expectation of privacy when it comes to data exposed online via a peer-to-peer file-sharing network. The case involved three men charged with a crime who claimed the police illegally gathered data from their computers using a peer-to-peer search tool and then obtained a search warrant based on that data. The defendants asked the judge to suppress the evidence based on a violation of their Fourth Amendment rights, but District Court Judge Christina Reiss denied the motion, stating the defendants made the data public when they posted it over a peer-to-peer network. Other courts have ruled similarly where peer-to-peer networks are involved. [Computerworld]

US – FTC Denies Company’s Consent Method

The FTC has denied AssertID’s application seeking approval of a parental consent method. The FTC said in a letter to the company that its proposal “failed to provide sufficient evidence that its method would meet the requirements” under the Children’s Online Privacy Protection Act. The company hoped to use a method called “social-graph verification,” but the FTC said in a 4-0 vote there hadn’t yet been sufficient research or testing to prove its efficacy. [FTC Press Release]

US – Internet Association Backs Airbnb in NY Privacy Conflict

The Internet Association—a group of web companies including Google, eBay, Facebook and Amazon—have filed papers in New York arguing that an attempt by the state’s attorney general to compel Airbnb to turn over its customers’ data will set a precedent that could harm online business. “The prospect of law enforcement authorities, regulators and other government personnel being able to obtain broad swaths of information about consumers under no articulated suspicion of wrongdoing would unduly discourage participation in these online services,” the filed paper states. [MediaPost]

US – Parents to Sue NY Education Dept.

A group of New York City parents is planning to file suit “to block the state Education Department from sharing their kids’ data—including test scores and discipline records—with private companies.” The suit, which is to be filed in New York Supreme Court, comes in response to “the controversial $100 million inBloom project being built by the company Amplify,” the report states, noting the parents allege the project “violates the state’s Personal Privacy Protection Law, forbidding state agencies from giving personal info to companies without consent, unless state law specifically requires the agencies to do so.” The suit follows concerns about inBloom raised in other states. []

US – Man Says Data Broker Is Liable in Harassment Case

A New York man has asked the U.S. Supreme Court to review whether data brokerage companies can be held strictly liable under federal law. The man claims “a data broker illegally sold information gleaned from DMV records to a stranger who later tracked down and harassed him.” A Second Circuit court ruled in July that data broker Softech International could not be held strictly liable under the Driver’s Privacy Protection Act. [Law360]

Privacy Enhancing Technologies (PETs)

WW – Two Tracking Techs Emerge from Hackathon

Last week, online privacy service Ghostery hosted a hackathon to create new user-friendly technologies to enhance online privacy. One team created a browser plug-in to reveal the companies that are tracking users by placing photos of the companies’ top executives on screen. A second top vote-getter focused on measuring the amount of time trackers add to page loading time. The latter system works in tandem with Ghostery and allows users to opt out of tracking. For the next month, users in the Ghostery community have the option to vote for the best service, which will then present its technology at South by Southwest next year. [AdAge]

US – NIST to Update Smart Grid Guidance

The National Institute of Standards and Technology (NIST) is revising its smart grid guidance to address vulnerabilities and privacy issues that have become more of a concern over the past few years. While the U.S. power grid is years away from being a true smart grid, NIST says in the draft of the guidance, “Approaches to secure these technologies and to protect privacy must be designed and implemented early in the transition to the smart grid.” Rebecca Herold, who leads NIST’s Smart Grid Cybersecurity Committee’s privacy subgroup, said the new draft will “allow all players in the smart grid to proactively address privacy issues as they create the wide variety of services and components involved, instead of waiting until after the fact, and after privacy incidents, to try to tack privacy on as an after-thought, which is never nearly as effective—as history has taught us.” [BankInfoSecurity]


WW – SMB Cybersecurity Survey Suggests Many Unaware of Being Attacked

A survey from McAfee and Office Depot of more than 1,000 small and medium-sized businesses (SMBs) found that two thirds were confident of the security of their data and devices. More than three-quarters of the companies said they had not been the victims of cyber attacks. There is a significant discrepancy between those numbers and research, which shows that SMBs are often targeted by cybercriminals. 72% of breaches investigated by Verizon’s forensic analysis unit in the company’s most recent Data Breach Investigations Report were of companies with fewer than 100 employees. It is likely that many SMBs are simply not aware that they have been attacked. [InfoSecurity]

US – Survey Suggests Majority of Breaches in US Undisclosed

According to a survey, more than half of all data breaches experienced by companies in the US remain undisclosed. The study surveyed 200 security professionals who conduct malware analysis; 57% said they had investigated or helped manage fallout from a data breach that was not disclosed by the targeted company. [ZDNet] [CSO Online]


US – CIA Allegedly Engaged in Bulk Collection

A Central Intelligence Agency (CIA) program collects bulk records of international money transfers, including transfers inside and out of the U.S. from companies such as Western Union. Unidentified officials said the program operates under provisions within the USA PATRIOT Act and is overseen by the Foreign Intelligence Surveillance Court—similar to the National Security Agency’s phone records metadata program. One official said, “The CIA protects the nation and upholds the privacy rights of Americans by ensuring that its intelligence-collection activities are focused on acquiring foreign intelligence and counterintelligence in accordance with U.S. laws.” Meanwhile, Ars Technica reports on a new social media monitoring service unveiled by LexisNexis to aid local law enforcement in mining social media posts for intelligence. [The New York Times]

UK – GCHQ Spoofed LinkedIn & Slashdot to Access Telecoms’ Internal Networks

According to leaked documents, the UK’s GCHQ spoofed LinkedIn and Slashdot pages to install malware on the computers of certain engineers working for global roaming exchange providers in Europe. Once the malware was on the computers, intelligence agents were able to gain access to internal networks of Belgian telecommunications company Belgacom and its subsidiaries. The method used to infect the computers is known as “Quantum Insert” and was developed by the NSA.[Der Spiegel] [WIRED] [ComputerWorld] [Ars Technica]

WW – As NSA Fallout Continues, Investigations Launched

Dutch and Belgian data protection authorities are leading an investigation “into whether consumers’ personal data on the global Swift money-transfer network can be accessed by the U.S. National Security Agency (NSA) or other intelligence services.” “We will investigate if the security of the networks and databases of Swift containing huge quantities of personal data related to bank transactions, of among others, European citizens, allow for or have allowed for unlawful access,” said Dutch DPA and Article 29 Working Party Chairman Jacob Kohnstamm. In the U.S., advocacy groups including the Electronic Privacy Information Center, Privacy Rights Clearinghouse and Center for Digital Democracy sent a letter to the U.S. Federal Trade Commission calling for an investigation into Internet companies whose networks were accessed by the NSA. “It is inconceivable that when faced with the most significant breach of consumer data in U.S. history, the commission could ignore the consequences for consumer privacy,” the letter states. Meanwhile, a GigaOM report suggests the legacy of Edward Snowden’s revelations about NSA surveillance could be “much if not most of the open web will be encrypted by default.” [Bloomberg]

WW – Google Engineers Angry Over NSA and GCHQ Snooping

Google has begun encrypting traffic between its data centers after leaked documents indicated that the NSA and GCHQ had been targeting the fiber-optic networks that transmit data between Google data centers in a data harvesting operation dubbed MUSCULAR. (For the record, the operation also snooped on traffic between Yahoo data centers.) The traffic was not encrypted before because it was considered internal to the company. Google executive chairman Schmidt was vocal about his feelings regarding the situation, calling the operation “outrageous” and “perhaps illegal.” Google engineers have also vociferously expressed their anger about the situation. [Ars Technica] [ZDNet] [The Register]

WW – Tech Companies Want Restrictions on Gov’t Surveillance

Following news that the National Security Agency (NSA) was tapping into Yahoo and Google data centers, a coalition of tech companies is calling on Congress for restrictions on government surveillance. Google, Yahoo, Microsoft, Facebook, Apple and AOL have asked for “substantial enhancements to privacy protections and appropriate oversight and accountability mechanisms.” Meanwhile, a U.S. senator and privacy advocates are raising concerns that a bill introduced last week to amend the Foreign Intelligence Surveillance Act would give the NSA permission to collect massive amounts of not only Americans’ phone records, but e-mails as well. [MediaPost]

US – House Committee Wants Answers from VA About Cybersecurity Practices

The US Department of Veterans Affairs (VA) is coming under scrutiny from a congressional committee after offering inconsistent explanations for several data breaches since 2010. The state-sponsored cyberattacks have compromised personal information of more than 20 million veterans and their family members. In the past three weeks, the House Veterans Affairs Committee has made six formal inquiries to the VA’s Office of Information and Technology regarding the agency’s IT security practices and compliance with federally mandated standards. The agency has a backlog of unanswered inquiries dating back to June 2012. The most recent round of inquiries arose after it became clear that VA networks were compromised multiple times since March 2010, but officials have been unable to determine what data were compromised. [FCW]

US – Franken and Heller Reintroduce Bill on Surveillance Transparency

Sens. Al Franken (D-MN) and Dean Heller (R-NV) have reintroduced the Surveillance Transparency Act of 2013. A hearing on the bill, which aims to increase transparency when it comes to government surveillance, will be held November 13. “The American public is naturally suspicious of executive power, and when things are done secretly, they tend to think that power is being abused,” said Franken. The bill follows a letter written by 60 Internet companies and advocacy groups pushing the president and congressional leaders for transparency when it comes to government surveillance. Meanwhile, a law enforcement official recently said scrutiny over government surveillance threatens police use of technology to solve crimes. [Broadcasting & Cable]

US – NSA Reform Bill Expected; Feinstein Backs “Total Review”

House and Senate lawmakers plan Tuesday on introducing legislation to limit the NSA’s surveillance powers. The USA FREEDOM Act, written by Sens. Patrick Leahy (D-VT) and James Sensenbrenner, Jr., (R-WI), would end the NSA’s bulk collection of phone records, increase curbs to monitoring Americans, require quicker data deletion in cases of accidental collection and create a special FISA court advocate. Sen. Diane Feinstein (D-CA), who has consistently been a staunch defender of the NSA’s programs, has called for a “total review” of all intelligence collection programs after news that the U.S. allegedly spied on national leaders of allied nations—most notably German Chancellor Angela Merkel. The White House has also said there needs to be additional “constraints” on U.S. intelligence gathering to “better balance our security needs and the security needs of our allies against the real privacy concerns that we all share.” The House Intelligence Committee will hold a rare open hearing today, which will include the NSA director and other top intelligence officials. [The Hill]

US – Surveillance Constitutionality May Be Tested in Court

U.S. federal prosecutors “intend to use information gathered through the government’s warrantless surveillance program in a criminal trial, setting up a possible court test of the constitutionality of such eavesdropping.” In a notice released late Friday, the Justice Department announced it will use “information obtained or derived from acquisition of foreign intelligence information conducted pursuant to the Foreign Intelligence Surveillance Act” in a case against an alleged terrorist. A deputy legal director with the American Civil Liberties Union has described the filing as a “big deal” that “will undoubtedly set up a constitutional challenge,” the report states. [CNET]

Telecom / TV

US – IBM to Acquire Fiberlink Communications

IBM has announced its agreement to acquire mobile management and security company Fiberlink Communications. “In a mobile-first world, clients require a comprehensive mobile management and security offering. Oftentimes they integrate solutions on their own and take on unnecessary risk,” said IBM’s Robert LeBlanc. “To protect and enhance the complete mobile experience, it’s crucial to secure the app, user, content, data and the transaction. The acquisition of Fiberlink will enable us to offer these expanded capabilities to our clients, making it simple and quick to unlock the full potential of mobility.” [IBM]

US Government Programs

US – U.S. Willing to Consider Reforms

Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB) David Medine said the government is open to changes about how it conducts phone and Internet surveillance programs as long as they don’t undermine the programs’ effectiveness. PCLOB is now examining how to balance thwarting terrorist plots with protecting Americans’ privacy. It will present a report to President Barack Obama on suggested reforms to surveillance programs. In an opinion piece for The Atlantic, Conor Friedersdorf says defenders of digital surveillance programs should apply the logic to the analogue world, where “everyone recognizes the absurdity of effectively outlawing privacy.” [Chicago Tribune]

US – Gov’t Considers Removing NSA from Military Command

The Obama administration is considering removing the U.S. National Security Agency (NSA) from military command and appointing a civilian to lead it. Gen. Keith Alexander is retiring in 2014, and a list of his potential replacements is being compiled. Meanwhile, plans for a European Internet—a direct response to the NSA revelations this summer—is being discussed by German company Deutsche Telekom. The company aims to keep German citizens’ data safe from foreign governments. And Privacy International has announced a new project that seeks to promote data protection within humanitarian efforts. [The Guardian]

US – White House May Consider Civilian to Head NSA

When NSA chief General Keith Alexander steps down from his post next year, the White House may nominate a civilian candidate to fill the position. The NSA has drawn its leaders from within the military since the agency’s inception in 1952. Alexander currently also heads the US Cyber Command, so a civilian NSA director would be considered only if the White House decides to split the two positions after Alexander steps down. A civilian nominee would likely have to face Senate confirmation hearings. A qualified civilian candidate may be difficult to find, as the job requires a depth of technical knowledge and “familiarity with intelligence gathering.” Jim Lewis, senior fellow at the Center for Strategic and International Studies, notes that a civilian NSA director may encounter difficulty providing intelligence for military operations. [The Hill]

US – NSA and Cyber Command Leadership Likely to be Separate

It appears likely that the next person to serve as NSA chief will not have authority over US Cyber Command, as does current NSA chief General Keith Alexander. Both military officials and legislators are leaning toward dividing the positions to prevent abuse of power and to help restore public trust in the NSA. Alexander, who was appointed head of the NSA in 2005 and acquired the leadership role at Cyber Command in 2010, plans to step down from those positions next year. He believes the two roles should be connected because agencies could end up squabbling over resources and decisions. [The Hill] [CNET]

US – States Take Action Where Federal Gov’t Hasn’t

State legislatures around the country have rushed to propose a new series of privacy laws. More than two dozen privacy laws have been passed this year in more than 10 states, incited by increasing privacy concerns about personal data and a lack of action by the federal government. State Rep. Jonathan Stickland said, “Congress is obviously not interested in updating those things or protecting privacy. If they’re not going to do it, states have to do it.” State AGs concurred recently at the IAIPP Privacy Academy. The flurry of laws can be burdensome for tech companies trying to comply; however, federal law prevents states from interfering with interstate commerce, the report states. [The New York Times]

US – DHS Submits Annual Report on Privacy to Congress

In her first public communication, new U.S. Department of Homeland Security CPO Karen Neuman posted on the DHS blog that she has officially submitted the DHS Privacy Office’s 2013 Annual Report to Congress . “As the Privacy Office enters our tenth year,” she writes, “we will continue to ensure that DHS stays committed to protecting the privacy of all individuals, and providing the greatest level of transparency and accountability possible.” The report, which stretches to 86 pages, opens with a message from Deputy CPO Jonathan Cantor, who acted as CPO for much of the time the report covers, and outlines how the department accomplished goals related to its privacy and disclosure policy, advocacy, compliance, oversight and workforce excellence. [DHS]

US – Inspector General: DHS Lacks Resources to Handle Online Threats

The Department of Homeland Security’s (DHS) inspector general says DHS has struggled to respond to cybersecurity threats because of “lingering technical, funding and staffing woes.” In an October 24 report, the inspector general said DHS lacks the tools and training needed to track hackers who are after U.S. banks and other businesses and needs more resources in order to be able to communicate threats to its cybersecurity workforce in real time. There is a system to distribute event reports and another for distributing response information, but the two are not connected. The IG’s report makes seven recommendations, including acquiring or developing tools and technologies that can link situational awareness products to cyber incidents. While President Barack Obama has nominated someone for the post, DHS currently lacks a leader. [Politico] [NextGov] []

US – Report Finds NSA, GCHQ Mass Surveillance Violated EU Law

A new study reveals that dragnet Internet surveillance by the U.S. National Security Agency (NSA) and the UK’s GCHQ violated European privacy law. The study’s authors, Sergio Carrera of the Centre for European Policy and Francesco Ragazi of Leiden University, have urged the European Parliament to “break the wall of silence,” the report states. Meanwhile, a report in Foreign Policy contends that, in the debate about the NSA’s surveillance programs, “privacy is a red herring.” [ComputerWeekly]

US Legislation

US – Lawmakers Reintroduce Kids’ Tracking Act

Sen. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) have announced plans to reintroduce the Do Not Track Kids Act, which aims to prohibit targeted advertising to kids younger than 16 and create an “eraser button.” The lawmakers point to a recent study from Commonsense Media showing an increase in the number of children accessing media through mobile devices as an indicator of need for the act. The bipartisan legislation, which has won the support of advocacy group Consumer Watchdog, “would prohibit web giants … from collecting personal information, including location data, on children ages 15 and younger” without permission, the report states, describing teenagers as “a group that is leaving extensive digital dossiers” through the use of social media. “The Do Not Track Kids legislation would update COPPA for this new Internet ecosystem, establish new protections for the personal information of children and teens and ensure that parents have the tools they need to protect their children’s privacy,” they said. COPPA was recently updated to prevent the tracking of kids under 13 years of age. [The Hill] [The Washington Post]

US – Judge Rules Wyndham Must Exchange Evidence with FTC, Case Proceeds

A judge has ruled that Wyndham Worldwide Corp. must exchange pretrial evidence with the U.S. Federal Trade Commission in its complaint against the company that alleges breaches at Wyndham and its three subsidiaries comprised more than 619,000 credit card accounts, Bloomberg reports. The company wanted the case dismissed, claiming the FTC doesn’t have the authority to regulate data security. A Covington & Burling InsidePrivacy post noted, “Even if the FTC wins the motion to dismiss, if the court issues a written decision, it is possible that the decision could speak to limits on the FTC’s authority. Companies that are subject to the FTC’s jurisdiction will want to follow this closely.” [Full Story]

US – Is Cali’s “Eraser” Bill the Wrong Approach?

Recently passed legislation in California essentially creates an “eraser” option for children and teens. Yet, privacy advocates are asking why only children would have such an option since, often, younger Internet users are more savvy with their privacy in the first place, whereas older users may not be as sophisticated. Center of Democracy and Technology Director of Consumer Protection Justin Brookman said, “It’s directed towards teenagers, which in itself is kind of vague … If you’re going to have privacy rules, you might as well protect everyone.” IAPP Westin fellow Kelsey Finch recently analyzed this bill along with several others in California. [Al Jazeera]

US – FAA Releases Roadmap for UAS Integration

The Federal Aviation Administration has released an official roadmap for the future integration of unmanned aircraft systems (UAS), also known as drones. U.S. Transportation Secretary Anthony Foxx said, “This roadmap is an important step forward that will help stakeholders understand the operational goals and safety issues we need to consider when planning for the future of our airspace.” The five-year plan unveils three phases, including “accommodation” of existing UAS, “integration of future UAS” and “evolution” to create an adaptable framework for the technology. The roadmap also implies, the report states, that unmanned aircraft will be treated like manned aircraft. The FAA has designated six tests sites, which will help “inform the dialogue” with privacy and civil liberties concerns. [WIRED] See also: [Calo: FAA Plan “Sensible”; Not All Agree]

US – Markey Introduces Drone Bill

Sen. Ed Markey (D-MA) has filed a bill that would require the Federal Aviation Administration (FAA) “to insert privacy protections in its examination into the possibility of allowing drones to be flown in commercial airspace.” Markey explained his Drone Aircraft Privacy and Transparency Act would require the FAA to ensure warrants are in place before using drones for surveillance. “Before countless commercial drones begin to fly overhead, we must ground their operation in strong rules to protect privacy and promote transparency,” he said. [The Hill]

US – SCOTUS Lets Facebook Settlement Stand

The U.S. Supreme Court has let stand a $9.5 million settlement after a Facebook user challenged the agreement objecting to the fact that none of the money will go to the users whose privacy rights were violated. The settlement will go to a foundation to promote online privacy and security, after paying out lawyers’ fees, and stems from Facebook’s use of the Beacon advertising program, which it shut down in 2009 after complaints. While the court didn’t issue a published dissent, Chief Justice John Roberts said it may need a different case in order to reach the “fundamental concerns surrounding the use of such remedies in class-action litigation.” [Bloomberg]

US – Privacy Group Can Finally Start Work as Facebook Beacon Suit Ends

After three and a half years of legal wrangling, the U.S. Supreme Court let stand a $9.5 million settlement between Facebook and class-action plaintiffs, bringing an end to the case triggered by the Beacon advertising program. It is the just the beginning, however, for the Digital Trust Foundation. Created by the settlement and led by Berkeley Center for Law and Technology head Chris Hoofnagle, the DTF will now begin developing grant-making guidelines for organizations seeking a portion of the $6 million in funds allocated for the study of online privacy. [Ad Age]

US – Federal and State Regulators on How to Get “Off the Hook

The FTC has been a busy agency. It has now brought 47 data security cases against businesses to date, and according to FTC Consumer Protection Bureau Deputy Director Daniel Kaufman, there are more in the pipeline. Together with New Jersey Supervising Deputy Attorney General Kenneth Ray Sharpe, CIPP/US, Kaufman addressed a room full of privacy pros yesterday at the IAPP Practical Privacy Series in New York City on how to avoid the wrath of regulators. [The Privacy Advisor. Full Story]

US – What Privacy Pros Need to Know About the NIST Cybersecurity Framework

As the U.S. National Institute of Standards and Technology moves into the home stretch of creating the Cybersecurity Framework called for by President Barack Obama back in February, we’re now getting a clearer picture of how privacy will be affected by the resulting document. Considering it may end up being part of regulatory structure, it’s incumbent upon privacy professionals, writes Hogan Lovells Partner Harriet Pearson, CIPP/US, that they understand how the framework ties together cybersecurity and privacy. As the date of the last framework workshop approaches, Pearson hits upon the most important points of the draft Privacy Methodology contained in the Cybersecurity Framework in this exclusive post for Privacy Tracker. [Full Story]

US – California’s Tidal Wave of Legislation: A Roundup

For more than a decade, California has stood at the forefront of the privacy legislation wave. Two 2003 California statutes have stood out and, in fact, revolutionized the field: the California Online Privacy Protection Act (CalOPPA), which was the first state law to require websites to post a privacy policy, and the law commonly known as “SB 1386,” the first security breach notification statute. In this exclusive for The Privacy Advisor examines five new laws as well as legislation that is currently pending in California. [Full Story]

US – U.S. Urges EU to Preserve Safe Harbour

Across the globe, fallout from reports of U.S. National Security Agency (NSA) and other governmental surveillance programs continues. Politico reports on U.S. regulators urging their counterparts in the EU not to abandon the Safe Harbor Framework amidst “mounting European anger over NSA spying.” Separately “The CIA is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company’s vast database of phone records, which includes Americans’ international calls,” according to a report in The New York Times. NSA General Counsel Rajesh De has attempted to explain the agency’s telephone metadata collection program by saying, “It’s effectively the same standard as stop-and-frisk”—using “reasonable and articulable suspicion” to identify phone numbers to target. Meanwhile, Google has begun encrypting its internal network in an effort to halt broad surveillance, and Kaspersky has said it is designing products “to detect all malware”—even that sponsored by the NSA. In response to allegations of U.S. agencies spying on EU officials, Spiegel examines what the White House might have known and how the NSA sets its priorities, and Indonesia has backed a UN statement indicating “anger at U.S.-led data snooping,” while Australian websites faced cyber attacks “in protest at Canberra’s reported involvement in the surveillance network.” [Full Story]

Workplace Privacy

US – Employee Monitoring: What’s Allowed and What’s Not?

Employers walk the line between protecting company resources and ensuring productivity and becoming big brother to their staff. Technology is available to monitor everything from computer use to hallways, but just because it’s out there, doesn’t mean it’s okay to use it. This IAPP Resource Center Close-Up aims to help you balance organizational security with employee privacy laws across the globe. You’ll find tools, articles and guidance on conducting background checks, accessing employee data and BYOD, plus learn about differing laws from region to region. [Close-Up: Workplace Privacy]

US – Case Over Workplace Audio Recordings Offers Insight

The proliferation of recording devices in our society offers employees the opportunity to easily record conversations in the workplace, which has brought up interesting legal questions in the 37 states where anti-wiretap laws don’t prohibit recording a person without their knowledge. Philip Gordon writes in Littler Mendelson’s Workplace Privacy Counsel about a recent case in which an administrative law judge (ALJ) rejected the National Labor Relations Board’s (NLRB) stance that workers “have a legally protected right to record their coworkers and managers.” In the case, the ALJ found that the company’s ban on workplace audio recording was lawful, and while the decision is not binding on the NLRB, the decision will likely be appealed to the board and offers important guidance for employers. [Full Story]


17-31 October 2013


CA – Comparing Manitoba’s Privacy Law With Alberta’s

Mondaq analyzes the recently passed provincial privacy legislation in Manitoba, the Personal Information Protection and Identity Theft Prevention Act (PIPITPA), and how the legislation compares with Alberta’s Personal Information Privacy Act. Specific areas of comparison include breach notification, private right of action for breaches, security requirements and service transfers outside of Canada. “Organizations who already have processes in place to comply with Canada’s existing privacy laws will largely find that PIPITPA does not create new compliance obligations for them,” the report states. [Full Story]


WW – Website, Researcher Rate Sites on Practices

A fledgling site is using crowdsourcing to rate the privacy policies of hundreds of websites. Called “Terms of Service; Didn’t Read,” the site’s tagline states, “‘I have read and agree to the terms’ is the biggest lie on the web.” Sites with the best practices are assigned to “Class A,” while the worst are put in “Class E.” Individual aspects of policies are given a “thumbs up” or a “thumbs down.” Meanwhile, researcher Rebecca MacKinnon’s “Ranking Digital Rights” project—which ranks companies on how well they respect users’ privacy rights—was thrust into overdrive since the NSA revelations. [Forbes]

US – Study: Consumers Enjoy Personalized Experience

A recent study indicates consumers want to be understood by the businesses with which they interact. In the SAS Institute survey, 71% of respondents said they are in fact concerned about recent news on government surveillance, but 60% said they expect businesses to know their preferences and understand their needs, the report states. In a post for The Wall Street Journal, University of Miami Associate Prof. Robert Plant discusses how consumers can make money off of their own data. Meanwhile, IBM’s Jeff Jonas writes that if a company is going to profit from consumer data, it must at least be transparent about it. [eWeek]

Electronic Records

WW – Researchers Push for More Patient Data Sharing

Two papers published in the New England Journal of Medicine back an international push to get drug companies to share patient-level data from clinical trials. Pharmaceutical industry reformers have been calling on drug companies to release patient data in order to ensure the safety and effectiveness of new drugs. Blowback from the release of certain pharmaceuticals, including Vioxx and Avandia, has revealed the dangers of concealed clinical drug trials, the report states. A group of academics advocating for such transparency said, “The question is not whether, but how these data should be broadly shared.” A Europe-based group of researchers said, “A managed-release environment that allows sharing of patient-level data while ensuring patient privacy would create a level playing field for all stakeholders.” [Milwaukee-Wisconsin Journal Sentinel]

US – Health Privacy Startup May Have Privacy Problem

Medical records startup Practice Fusion—which recently received $134 million in venture capital—and its potential privacy problem. The company offers free patient management services. It also has 75 million records of patients’ health conditions and prescriptions. The data is allegedly de-identified and then becomes available for analysts, pharma companies and market research. It launched a doctor review site in April filled with 30,000 doctor profiles and more than 2 million patient reviews. In some cases, neither the doctors nor patients knew the reviews would be available publicly. Meanwhile, Sen. Edward Markey (D-MA) has called on Walgreens to answer the privacy impact of its new “Well experience” pharmacy model. [Forbes]

US – Working the Kinks Out of the US’s Health Insurance Online Marketplace

President Barack Obama is launching a “tech surge” to address glitches in, the web online marketplace designed to help people find health insurance under the Affordable Care Act. Improvements that have been implemented since the site’s launch include increasing server capacity to deal with high levels of traffic and allowing people to preview plans without having to fill out a form. [NextGov] [ArsTechnica] [LA Times]


US – Ruling Threatens Internet Privacy, Brief Says

The Electronic Frontier Foundation (EFF) filed a brief arguing that a court order requiring secure e-mail provider Lavabit to hand over its master encryption key undermines the security and privacy of the Internet. Filed in the U.S. Court of Appeals of the Fourth Circuit, the brief contends the order would have allowed the U.S. government to access the personal information of all of Lavabit’s 400,000 users. “This is like trying to hit a nail with a wrecking ball,” the EFF brief stated. Meanwhile, LinkedIn’s Intro service is raising privacy and security concerns. [IDG News Service]

WW – Anonymous VPN Service Shuts Down, Cites Gov’t Intrusion

CryptoSeal Privacy, a service providing anonymous virtual private networks, has shut down the consumer service portion of its business rather than risk U.S. government intervention. The move follows a similar business decision by former e-mail service provider Lavabit. A legal filing in Lavabit’s case has been seen as troubling for Cryptoseal, the report states. CryptoSeal wrote, “Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner … The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion and likely unconstitutional. But until this matter is settled, we are unable to proceed with our service.” [Ars Technica]

WW — E-mail Encryptors Form Dark Mail Alliance

Online encryption organizations Silent Circle and Lavabit have announced the formation of the Dark Mail Alliance, an open-sourced tool with end-to-end encryption. The group aims to improve e-mail privacy by preventing e-mails from being shared with third parties, scanned for ads or easily hacked. Both businesses earlier this year shut down their respective encrypted e-mail services rather than share users’ data with the U.S. government. Silent Circle CEO Mike Janke said, “We’re the rebels who have decided privacy is too important to compromise on,” adding, “We believe e-mail is fundamentally broken in its current architecture … This is an opportunity to create a new e-mail service where the keys are created on the device and only the user can decrypt it.” [Forbes]

WW – Windows 8.1 Comes with Automatic Disk Encryption

Microsoft Windows 8.1 ships with automatic device encryption enabled by default, but the feature’s hardware requirements mean that it works only on newer systems. [ArsTechnica] [ArsTechnica] [CNN]

US – US Government Sites Using Expired SSL Certificates

More than 200 US government websites appear to be using expired SSL certificates, putting site visitors at risk of having personal information stolen through man-in-the-middle attacks. Some of the expired certificates may be due, in part, to the government shutdown. According to a study from the University of California, users are likely to click through messages warning of expired certificates. [IT News] [NextGov] [Study of Browser Security Warning Effectiveness]

EU Developments

EU – LIBE Adopts Compromise Amendments; Sends Draft To Council

The Committee on Civil Liberties, Justice and Home Affairs voted Monday for a major overhaul of current EU data protection rules. The committee adopted “en bloc” a package of compromise amendments assembled by Green MEP Jan Philipp Albrecht, rapporteur for the proposed regulation, which represented only a fraction of the 3,000 amendments initially proposed to the committee earlier this year. Meanwhile, French newspaper Le Monde has reported on NSA internal memos detailing “the wholesale use of cookies by the NSA to spy on French diplomatic interests at the UN and in Washington.” [Privacy Advisor] See also: [Has the LIBE Committee Torpedoed the Safe Harbor?]

EU – Regulation Implementation May Come Sooner Than 2015 After All

The European Commission is prepared to ignore attempts to delay implementation of the proposed data protection regulation. Instead, the commission plans to push toward implementing the regulation by spring of 2014, despite conclusions adopted at the summit last week suggesting the regulation be introduced by 2015. Financial Times reports the vote’s delay until at least next year, should that come to pass, is an “important victory” for U.S. tech giants who will need the time to bolster their case for a watered-down version of the reforms while the heated climate surrounding U.S. surveillance revelations cools down. [EurActiv]

EU – Two Years Later, LIBE to Vote on Reg

The Guardian reports that after two years of gridlock, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has scheduled votes on the reports on the revised data protection regulation and directive for Monday in Strausburg. An announcement on the European Parliament’s website says, “The committee will adopt a mandate for negotiations with the council in order to try and reach a common agreement on the Data Protection package before the European elections in May 2014.” [Full Story]

UK – Gov’t to Consult on Jail Time for Breaches

The UK government is considering introducing the possibility of jail sentences for breaches of the Data Protection Act (DPA), reports. Justice Secretary Chris Grayling has written to Home Affairs Committee Chairman Keith Vaz indicating “the public would be asked whether there should be new custodial penalties for breaches of Section 55,” the report states. While the current penalties are fines of different amounts, depending upon the court where the case is heard, Grayling “has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA,” the report states. [Full Story]

EU – ECJ: Protection Against Passport Fraud Outweighs Privacy

The European Court of Justice (ECJ) has ruled “that although the taking and storing of fingerprints for passports breached privacy and personal data rights, it did not breach the EU’s Charter of Fundamental Rights and was in line with EU law,” EUObserver reports. While the charter includes an explicit right to the protection of personal data, the ECJ determined the privacy infringement is justified to reduce fraudulent use of passports. “The contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU. To that end, they are intended to prevent the falsification of passports and the fraudulent use thereof,” the court has said. [Full Story]

UK – ICO: We Do Not Discriminate

Computing reports on the insistence of the Information Commissioner’s Office (ICO) that “it does not discriminate between private- and public-sector firms when deciding on data breach fines” and its assertion “nobody has been ‘let off’ fines” since the ICO received the power to levy fines up to 500,000 GBP three years ago. “I think there’s certainly no discrepancy on our part, favouritism or thoughts like that in any way,” said the ICO’s Simon Rice. Meanwhile, the ICO has announced it has prosecuted a pay day loan company and its director for “failing to register that the business was processing personal information.” The ICO is also warning organisations, in light of a Royal Veterinary College breach, to ensure their policies “reflect how the modern workforce are using personal devices for work.” [Full Story]

EU – ECHR Anonymous Posting Decision Sparks Concern

The European Court of Human Rights (ECHR) has ruled an Estonian court was correct when it fined Delfi in a case involving anonymous postings on the news website, Wired reports. Joe McNamee, executive director for European Digital Rights, said, “This baffling logic now appears to render it effectively impossible for an online publication to allow comments without positive identification of the end users … So much for the human right to privacy in the Convention. This will directly undermine individuals’ rights to free speech and indirectly undermine their right to privacy.” Lawyers in the UK, however, suggest if the original case had been held there, “the outcome would have been very different,” the report states. [Full Story]

EU – France Backs Fines for Sharing with U.S. Gov’t

France is backing EU proposals to fine companies sharing information with American intelligence services up to five percent of global revenue. The UK is prepared to clash with France on the fines—estimated to potentially cost UK businesses £360 million per year. France has also tabled a proposal for an international data transfer levy, the report states. “Core European values, namely the respect of fundamental rights, including the right to privacy and security, also matter just as much online as offline. Recent disclosures concerning surveillance activities have cast a shadow in EU citizens trust,” said European Commission President José Manuel Barroso. [The Telegraph]


UK – UK ISPs Ordered to Block More Sites in Bid to Quell Piracy

A UK court has ordered Internet service providers (ISPs) there to block 21 additional websites suspected of encouraging illegal music filesharing. The blocks must be in place by Wednesday, October 30. Earlier orders have called on UK ISPs to block eight other sites, including The Pirate Bay. [BBC]


EU – Parliament To Vote on Suspending SWIFT

On the heels of the Committee on Civil Liberties, Justice and Home Affairs vote for a major overhaul of current EU data protection rules, the European Parliament will now decide whether the EU-U.S. agreement on data transfers under the SWIFT payment network should be suspended. Under SWIFT, the EU provides the U.S. with EU residents’ payment data in order to thwart terrorism. But U.S. NSA revelations have raised concerns about the program. The outcome of a vote today will be nonbinding. [EU Parliament]

US – Are Banks Regularly Violating the GLBA?

Forbes reports on the selling of personal information by the financial industry and new research by Carnegie Mellon University Prof. Lorrie Faith Cranor. She, along with her students, analyzed 3,422 financial institutions to better understand their data-sharing practices and to see whether they comply with the Gramm-Leach-Bliley Act (GLBA). Her research found that practices varied widely—including 27 organizations that violated GLBA regulations altogether, the report states. “There is really no way for a consumer to find the good banks,” Cranor said, “because you would never think to check all the privacy policies.” JP Morgan Chase Director of Public Affairs Steve O’Halloran said, “We post our consumer privacy notice on On this page, you’ll notice that customers can limit information that is shared with affiliates and non-affiliates.” [Forbes]

Health / Medical

US – Tiger Team Uncovers Skepticism of HIPAA Disclosure Rule

As the U.S. Department of Health and Human Services’ Office of Civil Rights prepares to finalize rules for accounting disclosures as part of the HITECH Act, the Privacy and Security Tiger Team (part of the Office of the National Coordinator’s Health IT Policy Committee) is surveying stakeholders, and the stakeholders aren’t thrilled. The disclosure rule allowing patients to ask for a report detailing all internal access to their records is “misguided,” says the American Hospital Association. The Confidentiality Coalition fears “frivolous lawsuits.” The National Association of Chain Drug Stores says there will be “enormous new burdens.” Comments are open through Oct. 25 if you want to chime in. [Government Health IT]

US – Healthcare Breach Case a Boon for Encryption?

A California appeals court ruled that the Board of Regents at the University of California can’t be held accountable for the loss of a hard drive containing the personal health information of more than 16,000 patients. The decision hinged on the hard drive being encrypted. Officials could not confirm the data was actually accessed. The report also notes that the case was decided under California’s Confidentiality of Medical Information Act, not HIPAA. Meanwhile, Fierce Health IT reports that the Government Accountability Office is pushing the Centers for Medicare & Medicaid Services to remove Social Security numbers from ID cards, noting that the inclusion “introduces risks to beneficiaries’ personal information.” [mHealth News]

Horror Stories

US – Laptop Thefts Result in Medical Breaches

A breach at California’s AMHC Healthcare where two laptops containing the personal health information of 729,000 patients were stolen. According to medical breach data kept by the U.S. Department of Health & Human Services, the breach is the second largest this year. [FierceHealthIT]. Seton Healthcare Family in Texas has also announced a breach involving a laptop theft.

WW – Adobe Breach Affected At Least 38 Million Users

The estimated number of registered Adobe products users affected by a recent breach of that company’s systems has been increased to more than 38 million. The breach was initially disclosed at the beginning of October. At that time, Adobe said that the attackers stole encrypted credit card information of three million customers. In addition to increasing the number of affected users, Adobe also said that the breach appears to have compromised source code for Photoshop. [KrebOnSecurity]

WW – Breach Roundup…

Meanwhile, the Department of Energy says the number of people affected by a breach resulting in stolen data in July 2013 is more than double the number it initially estimated. A new survey indicates two-thirds of U.S. adults wouldn’t return to a business if their personal data was stolen.

A former Department of Justice cybercrime prosecutor says organizations should develop a “defensible response” to data breaches and fraud incidents because it’s likely they’ll next face a regulatory investigation or legal action. [Bank Info Security]

Hackers broke into database service MongoHQ using the compromised username and password of an administrator. The hackers made off with the data of a “limited number” of users. [eWeek]

In Missouri, Boone Hospital Center has begun notifying 125 patients that an employee working with an affiliated clinic may have accessed their personal information, including birthdates, Social Security numbers and medical diagnoses. [eSecurity Planet]

In Minnesota, Allina Health has started to notify patients that their personal health information was improperly viewed by a certified medical assistant. More than 3,000 patients were affected, though it is not believed the information has been used nefariously. The medical assistant has since been fired.

Insurance company Fidelity Life says a USB stick with sensitive data on about 1,200 clients was stolen from an employee’s car. The data included personal bank account numbers on people who had investments with a recent acquisition, Tower Health and Life.

In South Carolina, about 33,000 residents have enrolled in the state’s new identity theft protection service. Those eligible for protection had their data exposed in last year’s hacking of the state Revenue Department. A new study indicates that of 16 million victims of payment card information breaches in 2012, more than 25 percent were also victims of identity theft. The report found that retailers are the prime targets for payment card breaches, and that’s a trend that doesn’t look to be changing soon.

A recent data breach at Adobe impacted at least 38 million users, the company says. The stolen data was posted last weekend to Adobe has been contacting those who’s encrypted password information was stolen and urged them to reset their passwords [KrebsonSecurity].

Supermarket chain Schnuck Markets has recently agreed to a proposed class-action settlement following a breach involving 2.4 million credit and debit cards earlier this year. The chain will pay each affected customer up to $10 for each card hit with a fraudulent charge and $10 an hour for “up to three hours of documented time spent dealing with the breach.” [eSecurity Planet]

Health coverage company AvMed last week reached a $3 million data breach settlement that allows plaintiffs who didn’t suffer identity theft to claim funds. Attorneys say the settlement is “groundbreaking” and will likely “serve as a template for other plaintiffs in class actions over data breaches,” the report states. [Law360]

The U.S. Attorney’s Office has charged an alleged hacker in the UK with breaching thousands of computer systems in the U.S. and elsewhere. [Dark Reading]

A woman looking for yard sale bargains in Colorado purchased a box of office supplies worth more than she paid; the box contained student records—including Social Security numbers—from Pueblo Community College. “With all the identity theft and fraud, I was shocked that this was found at a garage sale,” the woman said.

Local law enforcement has opened an investigation into the theft of medical records from Northern Inyo Hospital in California. An employee in the hospital’s records department illegally obtained a patient’s medical file. The employee was subsequently fired. In the same state, the Legal Aid Society of San Mateo County is alerting patients of the burglary of 10 laptops containing personal data. The laptops were used by attorneys helping patients with healthcare services, and the data compromised may have contained medical data and Social Security numbers, HealthITSecurity reports.

In Florida, Broward Health is warning 960 patients about a data breach after a former employee stole their personal information. Wisconsin’s Memorial Hospital of Lafayette County has posted a notice on its website that it mailed 8,000 data breach notification letters after its third-party billing vendor accidentally sent their financial statements to the wrong people. In Virginia, two former nurse’s aides improperly accessed about 3,700 patients’ personal information in an identity theft scam, netting more than $116,000, The Virginian-Pilot reports.

An investigation by the Pittsburgh Tribune-Review has found employees or contractors committed more than 14,000 HIPAA privacy breaches since 2010, iHealthBeat reports. The breaches affected more than 100,000 veterans and more than 500 VA employees.

California’s Monterey County Department of Social Services has recently begun notifying residents that their personal data may have been exposed following access to the department’s computer by unauthorized users overseas.

An IT security vulnerability was found on News Corp’s major metropolitan websites in Australia, The Sydney Morning Herald reports. The details exposed include birthdate, e-mail address, number of children and household income.

PR Newswire is “conducting an extensive investigation” and has notified law enforcement over a breach earlier this year in which hackers broke into its networks, stealing usernames and encrypted passwords. The stolen data was recently found on the same Internet servers housing data stolen in an Adobe Systems breach, Krebs on Security reports, indicating the same party may be responsible for both breaches.

In South Africa, a variant of malware inserted into point-of-sale devices at South African fast-food outlets has cost local banks tens of millions, Mail & Guardian reports.

Following a probe by the UK Information Commissioner’s Office (ICO) into Panasonic UK’s data security policies, the company has agreed to strengthen its data security practices. The ICO will not serve an enforcement notice based on Panasonic’s plans.

Symantec Corp. is asking a federal court in California to toss out a proposed class action. The plaintiff in the case accuses Symantec of concealing a data breach and says the company is now raising “unavailing or scattershot arguments” in its aims to see the case dismissed.

Meanwhile, an article for CFO warns companies should do their due diligence before entering contract negotiations with cloud providers in order to avoid data-breach liability claims.

Identity Issues

US – Cali AG Releases Recommendations on ID Theft

California Attorney General Kamala Harris has released a report, “Medical Identity Theft: Recommendations for the Age of Electronic Medical Records,” that includes guidelines for the healthcare industry and insurers on preventing and remedying medical identity theft. The report focuses on the impact of identity theft on the accuracy of medical records and recommends that healthcare providers implement an identity theft response program, build awareness of the dangers and train staff appropriately, among other recommendations. “As the Affordable Care Act encourages the move to electronic medical records, the health care industry has an opportunity to improve public health and combat medical identity theft with forward-looking policies and the strategic use of technology,” said Harris. Accompanying the report is also a guide for consumers. [Report]

US – Mobile Devices to Become Identity Verifiers Thanks to Federal Grants

HID Global and two of its partners have received cybersecurity grants through President Barack Obama’s National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative. The grants will be used to develop systems that will enable mobile devices to carry credentials for identity verification to improve consumer privacy among other things, the report states. Dubbed the NSTIC Key Team, the companies will enable mobile devices “to be used like smart cards to secure applications and networks for a leading social media company, a healthcare organization and the U.S. Department of Defense.” [Dark Reading]

US – Experian Subsidiary Sold Data to Underground Identity Fraud Site

An underground website that sold data that could be used to commit identity fraud appears to have purchased a significant amount of information from the US credit bureau Experian. The site,, sold Social Security numbers (SSNs), drivers license numbers, and financial data. Some of the data available on the site were obtained from a company called Court Ventures, which Experian acquired in March 2012. Court Ventures “aggregates, prepackages, and distributes public record data.” The data thieves operating Superget pretended to be a US-based private investigator to gain access to the data. [KrebsOnSecurity]

US – Brill to Headline “Reclaim Your Name” Event at NYU

Now that the partial government shutdown is over, FTC Commissioner Julie Brill can focus on her next public speaking event. She will headline NYU-Poly’s third Sloan Cybersecurity Lecture, “Reclaim Your Name: Privacy in the World of Big Data,” to be held October 23, with a speech she promises will be “pretty colorful.” In this exclusive for The Privacy Advisor, Brill previews her talk by saying companies are already responding to her call for data transparency and the ability to correct and suppress. “I look at Axciom’s AboutTheData website as a response to what I called for,” she said. “It’s not nearly full-blown Reclaim Your Name, but it’s a first step toward providing more transparency to consumers about data collection and use practices.” [Source]

EU – ECJ: Protection Against Passport Fraud Outweighs Privacy

The European Court of Justice (ECJ) has ruled “that although the taking and storing of fingerprints for passports breached privacy and personal data rights, it did not breach the EU’s Charter of Fundamental Rights and was in line with EU law.” While the charter includes an explicit right to the protection of personal data, the ECJ determined the privacy infringement is justified to reduce fraudulent use of passports . “The contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU. To that end, they are intended to prevent the falsification of passports and the fraudulent use thereof,” the court has said. [EUObserver]

Intellectual Property

US –MPAA Publishes List of Top Filesharing Sites Around the World

The Motion Picture Association of America (MPAA) has released a report that lists major illegal filesharing sites around the world. Ironically, the MPAA has criticized Google for returning high numbers of filesharing sites in its search results, but now MPAA has provided an organized list of many of those sites. The MPAA report was created to provide the US Trade Representative with the names of “potential Internet and physical notorious markets that exist outside the US.” [WIRED] [MPAA’s Report critical of Google]; [MPAA’s Report on Filesharing Sites]

Internet / WWW

EU – Europe Aims to Lead With the Cloud

The European Commission has outlined plans for the EU to become a “world leading” cloud computing market when it comes to data protection. While the commission acknowledges U.S. surveillance revelations “aggravated” existing concerns about foreign cloud storage, it says calls for regional-only cloud storage would be “misguided.” “Trust can be restored with more transparency and the use of high standards,” the commission said. “A better overview of standards, certification of the use of those standards and safe and fair contract terms for cloud computing are essential.” []

US — U.S. Group Lobbying to Prevent Cloud Mining in Europe

A U.S.-based group is lobbying for a code of conduct banning cloud providers from mining data and serving ads in European schools. Many schools across Europe use services such as Google Apps for Education, but some countries, including Sweden, have banned the use of U.S.-based cloud services because they do not comply with data protection law. SafeGov has released a report on the issue and is urging Europe to consider such a code of conduct. Meanwhile, The Guardian reports on how to manage data protection and disaster recovery in the cloud. [ZDNet]

Law Enforcement

US – City To Tighten Plate-Scanning Retention Limits

In response to an open records request, the Pittsburgh Parking Authority (PPA) will tighten its license plate scanning policy and regularly delete scanned photos from its database. Over the last eight years, the authority has taken millions of photos of parked vehicles and stored the data for up to 30 days in a database that potentially can be used to track a vehicle’s movement around the city, the report states. In a letter, PPA Executive Director David Onorato wrote, “This type of information will no longer be accessible, except with respect to vehicles that have outstanding parking tickets.” The Pennsylvania chapter of the American Civil Liberties Union applauded the move, with one representative saying, “It is really creepy when you can say, ‘You were at the Giant Eagle at such and such a time.’” [Pittsburgh Post-Gazette]

US – Aaron’s Settles FTC Charges That it Enabled Computer Spying

The Federal Trade Commission (FTC) announced that Aaron’s, Inc., has agreed to settle charges that it enabled computer spying on customers by its franchises. According to an FTC press release, the company is barred from using monitoring technology and must obtain consent before using location-tracking software. FTC Bureau of Consumer Protection Director Jessica Rich said, “Consumers have a right to rent computers free of cybersyping and to know when and how they are being tracked by a company.” In its Business Center Blog, the FTC details what businesses can learn from the settlement. [FTC]


WW – Indoor Location Market Set to Boom; Privacy Concerns Loom

Steve Smith writes that one of the upcoming battlegrounds in the mobile sphere “is not over accessing everyone everywhere but over very specific places and the people moving within them,” adding, “The indoor location market is suddenly about to boom.” According to ABI Research, within the next year there will be at least 25,000 mapping and indoor location technology installations across the globe as well as the handsets supporting such technology. An ABI director wrote, “Apple hasn’t made a big marketing deal on indoor with the new iPhone 5s, largely because the ecosystem isn’t in place yet.” But within the phone there “is a hardware platform that is now well-placed to support ‘always-on’ indoor location, sensor fusion and ambient intelligence.” Meanwhile, Apple’s new iOS7’s tracking capabilities—particularly its “Frequent Locations“ function—and the new iPhone’s motion sensor chip are raising privacy concerns. [MediaPost]

WW – Mozilla Developing GeoLocation Public Data Service

Mozilla is working on a public geolocation data service using cell tower and WiFi signals to give developers “a more privacy-aware option than current alternatives.” “The data would be provided by cell towers, WiFi and IP addresses,” the report states, and could be made available to the public. It’s a service already experimentally operating in the U.S., Brazil, Russia, Australia and Indonesia. [PCWorld]

US – Federal Appeals Court Says Warrant Required for GPS Tracking

The Third US Circuit Court of Appeals has ruled that law enforcement officers must obtain a probable cause warrant before affixing GPS trackers to a suspect’s vehicle. The is the first appeals court ruling since the January 2012 US Supreme Court ruling in United States v. Jones that affixing a GPS device to a suspect’s vehicle constitutes a search under the Fourth Amendment. The justices did not rule on whether the search was unreasonable and thus required a warrant. This recent case, United States v. Katzin, involved a GPS device attached to the vehicle of a suspect in a series of pharmacy robberies. [ComputerWorld] [WIRED]


BA – Bahrain Cabinet Approves Draft Privacy Law

Gulf Daily News reports that during the cabinet’s weekly session, it gave its initial approval to a draft legislation that “aims to provide legal protection of personal privacy, which is a fundamental constitutional right.” According to Minister of State for Information Affairs and official government spokeswoman Sameera Rajab, the bill “includes the protection of digital data,” in order to “enhance public confidence in electronic transactions through the preservation and protection of personal data.” The cabinet has referred the bill to the ministerial committee for legal affairs and, according to the report, more details about it will available after it is discussed in the National Assembly.

Online Privacy

WW – Privacy Advocates, Online Ad Groups Still Doubt Do Not Track Talks

Privacy advocates and the ad industry agree on one thing: the Do-Not-Track (DNT) talks should end, but, the co-chairmen of the World Wide Web Consortium DNT working group announced that talks will continue. Network Advertising Initiative President Marc Groman, CIPP/US, said the NAI “remains concerned about the lack of progress and transparency in the working group as well as recent stories of arbitrary decisions,” but added, “we will continue to engage to ensure that there is a voice for third parties and digital advertising, small- and medium-sized businesses, the long tail of the Internet and frankly the consumer.” [The Hill]

US – DMA Calls for New Privacy Laws; Marketing Questions Persist

The Direct Marketing Association (DMA) is asking Congress “to overhaul privacy laws in order to protect companies’ ability to use data for marketing purposes.” The DMA’s requests include asking Congress “to invalidate state laws ‘that endanger the value of data’ and to prohibit consumers from bringing privacy class-action lawsuits,” the report states. On the subject of direct marketing, a Forbes report entitled “Kroger Knows Your Shopping Patterns Better Than You Do “ looks at one of the nation’s leading grocery store chains’ ad campaigns. Meanwhile, in a separate incident, a DMA e-mail campaign this weekend “reportedly hit more than 100 spam traps and e-mail boxes of some of the world’s most prominent anti-spammers.” [MediaPost]

WW – Facebook Changes Teen Privacy Rules

Facebook has announced it has changed its privacy rules for teenagers allowing them to now “post status updates, videos and images that can be seen by anyone, not just their friends or people who know their friends.” Those between the ages of 13 and 17 will have their sharing default set to “friends,” but they will receive a notice of their options. The move is prompting concerns that while the changes have been described as giving teens “more choice, big money is at stake for the company and its advertisers,” a report by The New York Times states. Author Emily Bazelon cautions, “It’s risky to have teenagers posting publicly. The kids who might be the most likely to do that might not have the best judgment about what they post.” [FB Announcement]

WW – Facebook Tests Software to Track Your Cursor on Screen

New software is being tested by Facebook to increase the site’s ability to collect great amounts of user information, including the tracking of a user’s cursor on screen. In an interview with The Journal, Facebook Analytics Chief Ken Rudin said the collected data could be added to the company’s data analytics warehouse. According to the report, Facebook can use the stored data “for an endless range of purposes—from product development to more precise targeting of advertising.” Currently, the company collects two types of data: behavioral and demographic. The new tests would expand Facebook’s ability to collect behavioral data, according to Rudin. [The Wall Street Journal]

WW – New Open-Sourced Browser Blocks Ads by Default

WhiteHat Security has released a new open-sourced, ad-blocking browser for OS X. Called Aviator, the browser preserves privacy by default and treats ads like a security threat. The browser is also preconfigured to use anonymous search engine Duck Duck Go. WhiteHat Security Product Management Director Robert Hansen wrote , “(N)ot a single browser vendor offers ad blocking, instead relying on optional third-party plugins, because this breaks their business model and how they make money,” adding, “Current incentives between the user and the browser vendor are misaligned. People simply aren’t safe online when their browser vendor profits from ads.” The browser comes out after recent talks around an industry standard do-not-track option have had difficulty moving forward. [InformationWeek]

US – Sen. Schumer Backs Offline Do-Not-Track

We reported on Monday that the Future of Privacy Forum (FPF), along with nine analytics companies, proposed a retail store Do-Not-Track opt-out code of conduct, and on Tuesday, according to an FPF press release, the group received backing from Sen. Charles Schumer (D-NY). CNET News reports that eight out of the 10 major cellphone tracking companies have agreed to the code of conduct, including Euclid, a company that was questioned earlier this year by Sen. Al Franken (D-MN) about its tracking practices. The code requires stores using MAC address tracking technology to post conspicuous signs notifying consumers of the tracking and to offer a website where customers can opt out of being tracked. Schumer said, “This is a significant step forward in the quest for consumer privacy,” adding, “This agreement shows that technology companies, retailers and consumer advocates can work together in the best interest of the consumer.” [Source]

WW – The Economics and Future of Cookies

As the IAPP reported, cookies may be reaching the end of the road—but not with a whimper. Google, Facebook and Microsoft are designing their own online tracking systems “in ways that bypass the more than a thousand software companies that place cookies on websites,” which could mean a radical shift in the balance of power in the $120 billion digital ad industry. Evidon CEO Scott Meyer said, “There is a Battle Royal brewing … Whoever controls access to all that data can charge rent for it—and has a tremendous advantage going forward.” [Wall Street Journal]

Other Jurisdictions

US – Senators Wants Answers on Student Data Outsourcing

Sen. Ed Markey (D-MA) wants to know how student information is being protected when it comes to data collection and analysis within the education-technology industry. Markey sent a letter to Secretary of Education Arne Duncan asking how K-12 schools are outsourcing the management and assessment of student data to technology vendor. “By collecting detailed personal information about students’ test results and learning abilities, educators may find better ways to educate their students,” Markey wrote. “However, putting the sensitive information of students in private hands raises a number of important questions about the privacy rights of parents and their children.” [New York Times]

AU – Australian Prof: Privacy Tort Can’t Do Everything

The Australian takes another look at the Australian Law Reform Commission (ALRC) inquiry into privacy law, highlighting comments by Prof. Barbara McDonald, the commissioner in charge of the inquiry. “The law cannot do everything–even if we have a statutory tort for invasion of privacy, it is not going to stop people invading privacy any more than a law against murder stops murder,” she said. McDonald has been asked to produce a detailed design for a privacy tort but “is also examining alternatives to a privacy tort that could fill the gaps in privacy law without the need for the creation of a new method of litigating,” the report states. Meanwhile, The Age reports on the Australian Internet Governance Forum’s examination of the question of the ALRC’s consideration of whether Australia should introduce its own “right to be forgotten.” [Full Story]

HK – Hong Kong PCPD Orders Company To Stop Supplying Data

“Something of a furore has been caused in Hong Kong by the decision of the Office of the Privacy Commissioner for Personal Data (PCPD) to issue an enforcement notice to stop a company from supplying data on individuals obtained from publicly available litigation and bankruptcy records via a smartphone application,” Lexology reports. The PCPD said the app, Do No Evil, “seriously invaded” those individuals’ privacy. Commentators, meanwhile, are accusing “the PCPD of threatening freedom of information, making inconsistent decisions and being technophobic,” the report states. [Full Story]

Privacy (US)

US – Netflix Plaintiffs Say Settlement Doesn’t Help Them

Netflix users are asking the Ninth Circuit Court of Appeals to vacate a settlement that would see the company donating millions of dollars to nonprofits. The users say the settlement doesn’t benefit them, stating they were affected by a privacy glitch in which Netflix allegedly held on to subscriber names after they had cancelled their memberships, a violation of the Video Privacy Protection Act of 1998. Netflix has denied violating the law but agreed to destroy the personal information and says the $9 million settlement is in line with privacy settlements by Facebook and Google. [MediaPost]  

US – Warrantless Surveillance Law May Face Test in Criminal Case

U.S. federal prosecutors “intend to use information gathered through the government’s warrantless surveillance program in a criminal trial, setting up a possible court test of the constitutionality of such eavesdropping.” In a notice released late Friday , the Justice Department announced it will use “information obtained or derived from acquisition of foreign intelligence information conducted pursuant to the Foreign Intelligence Surveillance Act” in a case against an alleged terrorist. A deputy legal director with the American Civil Liberties Union has described the filing as a “big deal” that “will undoubtedly set up a constitutional challenge,” the report states. [CNET]

US – Tips on Complying With COPPA While Still Making Money

Sara Hanlon, the CEO of a website targeted to kids and their grandparents, offers tips on how to meet the challenges of the newly revised COPPA while continuing to bring in revenue through your website. “While there are expenses associated with compliance, the complexity of the law and the thought of overhauling an entire business model are bigger issues,” Hanlon writes, noting that for some, “the law has created opportunities to innovate in order to continue to profit.” Tips offered by Hanlon include: Read and understand COPPA, don’t “assume your lawyer, developer or anyone else is handling this for you;” create a “parents area” on your site, and join an FTC-endorsed Safe Harbor Program, among others. [AdAge]

US – FTC: Ignore Privacy Principles at Your Own Peril

U.S. Federal Trade Commissioner Julie Brill warns the data broker industry that it must protect consumer data or face the consequences. Companies that ignore “basic privacy principles do so at their own peril,” she writes, but urges the industry to join a collective creation of consumer-friendly online services, an initiative she called Reclaim Your Name. Meanwhile, the FTC is mulling potential regulation of the emerging Internet of Things (IoT) market. Referencing a recent settlement with TRENDnet, Hogan Lovells writes that the agency may be taking a broader view of “sensitive data.” The FTC will host a roundtable on IoT next month. An earlier Privacy Perspectives post looked at some of the comments provided to the FTC by industry and advocacy. [AdAge]

US – SCOTUS Won’t Hear Privacy Lawsuit

The U.S. Supreme Court will not hear a privacy case against a division of Thomson Reuters Corp. on whether it can collect and sell information on drivers provided by state agencies. “The decision not to hear the matter represented a win for the commercialization of publicly available information, although U.S. law remains mixed on the subject,” the report states. The lawsuit alleged the practice violated the Driver’s Privacy Protection Act. Meanwhile, Bloomberg reports that a lawsuit claiming LinkedIn illegally mined its subscriber e-mail lists has been assigned to U.S. District Judge Lucy H. Koh—the judge who recently ruled the Google wiretapping case could go forward. [Reuters]

US – Expose of Experian Sparks New Questions About Data Brokers

Recent revelations that a company acquired by Experian may have sold personal data to a group of identity thieves has prompted an investigation by Sen. Jay Rockefeller (D-WV). The Experian report comes as Rockefeller and the FTC are both already investigating the data broker industry. In a letter to Experian , Rockefeller wrote, “if these recent news accounts are accurate, they raise serious questions about whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data.” On Wednesday, FTC Commissioner Julie Brill called on Congress to enact legislation to regulate the data broker industry. [MediaPost]

US – TSA To Screen Passengers Before They Arrive at Airports

The Transportation Security Administration (TSA) is expanding passenger screenings by searching government and private databases for data on passengers—including car registrations and employment information—before they get to the airport. The TSA says the practice, which was revealed in documents released by the TSA under government regulations on data use and collection, aims to streamline the security-check process for travelers who don’t pose a threat. “I think the best way to look at it is as a pre-crime assessment every time you fly,” said a spokesman from The Identity Project. [The New York Times]

WW – IAPP Hits 14k Members, Expands Into New Space

The IAPP celebrated the joining of its 14,000th member by opening up new office space this past weekend, continuing its growth in both the privacy industry and the warehouse space it occupies on the former Pease Air Force Base in Portsmouth, NH. The membership growth and need for office space obviously are closely connected. While it took more than 10 years to hit 10,000 members in 2012, membership has grown to 14,000 in 18 months since then, and the IAPP has had to add staff to support those members in their training, certification, events and publications teams along the way, along with the addition of the Westin Research Center, also housed in the IAPP’s offices. [Source]

Privacy Enhancing Technologies (PETs)

WW – Business Rx: Data Privacy Firm Wants to Sell to Consumers

Internet companies and entrepreneurs are making headlines with their privacy-focused business ventures. ManageURiD, formed last year, is intended to “dynamically and automatically determine how much of your sensitive personal information is available on the Internet and who is selling it” as well as manage its removal, monitor its reappearance and provide “a Personal Privacy Dashboard so you can see the current status, history and details … at any time.” Ars Technica describes how Private Internet Access, a small U.S.-based VPN, is “trying to stand up for privacy”—in part by not logging anything. Meanwhile, Mozilla’s new Lightbeam add-on for Firefox shows users “what companies are behind each cookie stored in their browsers and what information those companies are gathering.” [The Washington Post]


US – Former US VP Disabled Wireless Capability of Implanted Defibrillator

Former US vice-president Dick Cheney acknowledges that he had modifications made to his implanted defibrillator to prevent the device from being hacked. In 2007, Cheney had the device’s wireless feature disabled. [BBC] [The Register] [ArsTechnica]


US – NIST Releases Preliminary Cybersecurity Framework

After a short delay caused by the partial U.S. government shutdown, the National Institute of Standards and Technology’s Informational Technology Laboratory has released the Preliminary Cybersecurity Framework required under President Barack Obama’s executive order, “Improving Critical Infrastructure Cybersecurity,” of February 2013. NIST will shortly open a 45-day comment period on the preliminary framework, which will be posted here . Comments can be submitted at in Word or Excel format. The feedback is vital and at the top of the document NIST outlines the types of questions they’d like answered, including issues of cost-effective implementation and existing best practices. The practices described in the document are voluntary. Some are critical of voluntary standards because they in turn become the de facto industry standards, which means companies that suffer breaches could be found liable if they have not implemented the practices. Private companies operate most elements of the country’s critical infrastructure. The final version of the document is scheduled to be released in February 2014. [GovInfoSecurity] [CNET] [Bloomberg] [SC Magazine] [Draft Framework] [NIST]

US – Workarounds Put Brands at Risk

User behavior is a major and growing source of privacy risk. We can see the extent, drivers and types of user behavior causing noncompliance issues and risks in recent research, which found 52% of healthcare workers globally use risky workarounds that are out of compliance with policy, and 66% find security protocols “burdensome.” This presents an opportunity—increasingly urgent—for privacy-enhancing technologies to enable workers to do their jobs efficiently without putting the brand at risk. [The Privacy Advisor David Houlding]

UK – 66% of UK Organizations Lack Staff with Key Technical Cybersecurity Skills

Twenty-four out of 25 UK firms report not having the adequate security measures to battle cyber attacks and two-thirds report that the lack of staff with advanced technical skills is the cause. [Telegraph]

WW – Mobile Firefox OS Exploits at Conference In India Next Month

A teenager who has discovered a way to infect Mozilla Firefox mobile operating system with malware says he will remain silent about the exploit until a November summit in New Delhi, India. Shantanu Gawde developed malware that allows attackers to gain remote access to devices’ SD cards, transfer contacts, track locations, control radio functions, and upload and download pictures, music, and video. [SC Magazine]

Smart Cards

US – Loyalty Cardholders Concerned About Privacy

Privacy is a factor for consumers considering whether to join loyalty card programs. A Mintel survey has found 32% of consumers believe “privacy is an important attribute of any loyalty program,” the report states. The study also found that 13% of respondents were frustrated “with too much personal information being requested during enrollment” and 10% cited concerns about “a lack of control over the privacy of their information,” according to the report. Mintel’s Ika Erwina said, “Reassurance of privacy is undoubtedly a key strategic tool in loyalty program engagement, but there is a paradox at play here between personalization and privacy.”[Supermarket News]


US – NSA Admits Snooping on World Leaders’ Calls

The NSA has acknowledged that it snooped on phone calls of 35 world leaders, including German Chancellor Angela Merkel. The White House was unaware of the program until this summer; once it learned about the snooping, it was stopped. The WSJ story says that the surveillance decision was made at NSA and did not require approval from the president. According to other sources, US intelligence officials say that the State Department and the White House both signed off on the surveillance program. While it is possible that the president was not briefed on specific NSA operations targeting foreign leaders’ communications, the National Security Council and senior members of the intelligence community would be aware of the activity, according to an unnamed former US intelligence official. [The Wall Street Journal] [CBS News] [CNET] [Washington Post] [LA Times]

WW – Spying Fallout Continues; Countries Draft UN Resolution

Internal documents from UK intelligence agency GCHQ indicate fears of a “damaging public debate” on the scale of its activities. GCHQ feared such a debate could lead to legal challenges against mass-surveillance programs, the report states. In the U.S., former Secretary of State Hillary Clinton called for a “full, comprehensive discussion” on the balance between privacy and security; experts debated the worth of mass data collection to begin with, and U.S. Rep. Alan Grayson (D-FL) said in an opinion piece that he learned much more about U.S. surveillance policies from the media than from intelligence meetings. Meanwhile, Germany and Brazil are reportedly working on a UN General Assembly resolution on surveillance. [The Guardian]

US – Report Says NSA Intercepted ISPs’ Data

Google and Yahoo are upset with a report that the NSA has secretly intercepted “large amounts of data as it flows across fiber-optic cables that carry information between the worldwide data centers.” “We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryptions across more and more Google services and links, especially the links in the slide,” said Google’s chief legal officer. Meanwhile, the American Civil Liberties Union says an FBI program that collects reports about suspicious activity lacks privacy safeguards. [The Guardian]

WW – After NSA Disclosure, Tech Giants Look to Increase Defenses

Days after the latest National Security Agency leak showing the agency had tapped the data centers of Yahoo and Google—allegedly without either company’s knowledge— many large tech companies, including Facebook and Twitter, have been spending time and resources bolstering internal networks to protect their consumers’ data. “What began as a public relations predicament for America’s technology companies has evolved into a moral and business crisis that threatens the foundation of their businesses, which rests on consumers and companies trusting them with their digital data,” the report states. ACLU Senior Analyst Chris Soghoian said some companies are taking steps to ensure “surveillance without their consent is difficult,” but added, “what they can’t do is design services that truly keep the government out because of their ad-supported business model, and they’re not willing to give up that business model.” [The New York Times]

US – NSA Reform Bill Expected; Feinstein Backs “Total Review”

House and Senate lawmakers plan on introducing legislation to limit the NSA’s surveillance powers. The USA FREEDOM Act, written by Sens. Patrick Leahy (D-VT) and James Sensenbrenner, Jr., (R-WI), would end the NSA’s bulk collection of phone records, increase curbs to monitoring Americans, require quicker data deletion in cases of accidental collection and create a special FISA court advocate. Sen. Diane Feinstein (D-CA), who has consistently been a staunch defender of the NSA’s programs, has called for a “total review” of all intelligence collection programs after news that the U.S. allegedly spied on national leaders of allied nations—most notably German Chancellor Angela Merkel. The White House has also said there needs to be additional “constraints” on U.S. intelligence gathering to “better balance our security needs and the security needs of our allies against the real privacy concerns that we all share.” The House Intelligence Committee will hold a rare open hearing today, which will include the NSA director and other top intelligence officials. [The Hill]

WW – Schools Grapple With Cyberbullying and Privacy

Emerging social network monitoring systems are designed to survey publicly available posts of students and the corresponding issues around free speech and children’s privacy. Now that students’ cries for help and instances of bullying and threats can be found online, several companies are offering software to help schools detect such outbursts, but do schools have the legal right to do so? Several cyberbullying cases have made their way to federal courts. American Association of School Administrators Executive Director Daniel A. Domenech said of the issue, “It is a concern and, in some cases, a major problem for school districts,” adding that the line between school and student rights can be confusing. One school administrator is weary of such online technology, saying, “The safety and well-being of our students is our top priority, but we also need for them to have the time and space to grow without feeling like we are watching their every move.” [New York Times]

Telecom / TV

US – New TCPA Rules in Effect October 16

The Federal Communications Commission’s revisions to the Telephone Consumer Protection Act (TCPA) go into effect today. The revisions require businesses to obtain express written consent before telemarketing and advertising through autodialed calls or text messages to consumer cellphones and prerecorded calls to residential phone lines, according to a Covington & Burling client alert. The revisions eliminate the exemption allowing firms to make prerecorded calls to a residential phone line if a pre-established relationship with the consumer existed. Punishment for violations of the new rules “can reach as high as $1,500 per violation (on a per call basis),” the alert states. In this Privacy Tracker exclusive interview, listen to TCPA expert Yaron Dori, partner at Covington & Burling, talk about what these changes mean for your organization and its practices, and hear advice on how best to comply. [Full Story]

US Government Programs

US – Top U.S. Intel Officials Testify; Relations Fray Further

Top U.S. intelligence officials testified yesterday in a rare open hearing with the House Intelligence Committee, with National Security Administration Director General Keith Alexander and Director of National Intelligence James Clapper among them. While they were in concert with one another, the House committee members were, at times, singing different tunes. This exclusive for The Privacy Advisor reports on the hearing and rounds up the fallout from continued leaks about U.S. intelligence operations and how they’re affecting trade talks and the Safe Harbor with the EU. [Source]

US – The Feds: Data Brokers’ Next Big Customer

CNN reports on one commercial data broker “that tracks and stores the employment and salary information of millions of Americans” and its “big, new customer—the federal government.” The U.S. government is now using The Work Number, a database owned by Equifax that includes “54 million active salary and employment records and more than 175 million historical records,” in a pilot program aimed at determining eligibility for such benefits as food stamps, a World Privacy Forum report has found. The World Privacy Forum is pointing out privacy concerns, including that commercial databases such as this “do not have to meet the same strict privacy and accuracy standards that government-operated databases do,” the report states. [CNN Money]

US – Fordham Law Releases Privacy Curriculum for Middle Schoolers

Teenagers are tough to keep track of. After school, it’s on to sports practice and social lives and the rest. But one central place they can be found en masse is online. Not only are 93% of 12 to 17 year olds online, according to a recent study from the Pew Internet & American Life Project, but they’re sharing more about themselves than ever before. It’s that kind of data that prompted Fordham Law’s Center on Law and Information Policy to use funds from a cy pres privacy settlement to establish open-sourced curriculum for middle school kids. More than a dozen U.S. law schools have signed on to the program. [Source]

US – US Defense Secretary Wants DOD to Step Up Data Protection

In a memo earlier this month, US Defense Secretary Chuck Hagel ordered the Defense Department to implement measures to protect unclassified controlled data from being accessed by hackers. He has ordered DOD’s chief information Officer and the undersecretaries of defense for acquisition, technology, and linguistics; policy; and intelligence to assess unclassified DOD networks to evaluate their vulnerability to attacks and develop strategy to mitigate those risks. Hagel also called for DOD, the NSA, and DISA to develop means to assess loss of technical data and the consequences of those losses; identify critical acquisition and tech programs that need stronger protection; and make sure they are being adequately protected. [Federal Times] [NextGov]

US Legislation

US – Franken and Heller Reintroduce Bill on Surveillance Transparency

Sens. Al Franken (D-MN) and Dean Heller (R-NV) have reintroduced the Surveillance Transparency Act of 2013. A hearing on the bill, which aims to increase transparency when it comes to government surveillance, will be held November 13. “The American public is naturally suspicious of executive power, and when things are done secretly, they tend to think that power is being abused,” said Franken. The bill follows a letter written by 60 Internet companies and advocacy groups pushing the president and congressional leaders for transparency when it comes to government surveillance. Meanwhile, a law enforcement official recently said scrutiny over government surveillance threatens police use of technology to solve crimes. [Broadcasting & Cable]

US – Lawmakers to Reintroduce Kids’ Tracking Act

Sen. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) have announced plans to reintroduce the Do Not Track Kids Act, which aims to prohibit targeted advertising to kids younger than 16 and create an “eraser button.” The lawmakers point to a recent study from Commonsense Media showing an increase in the number of children accessing media through mobile devices as an indicator of need for the act. “The Do Not Track Kids legislation would update COPPA for this new Internet ecosystem, establish new protections for the personal information of children and teens and ensure that parents have the tools they need to protect their children’s privacy,” they said. COPPA was recently updated to prevent the tracking of kids under 13 years of age. [The Hill]

US – States Take Action Where Federal Gov’t Hasn’t

State legislatures around the country have rushed to propose a new series of privacy laws. More than two dozen privacy laws have been passed this year in more than 10 states, incited by increasing privacy concerns about personal data and a lack of action by the federal government. State Rep. Jonathan Stickland (R-District 92) said, “Congress is obviously not interested in updating those things or protecting privacy. If they’re not going to do it, states have to do it.” The flurry of laws can be burdensome for tech companies trying to comply; however, federal law prevents states from interfering with interstate commerce, the report states. [The New York Times]

US – California Governor Vetoes Privacy Bill Again

California Governor Jerry Brown has once again vetoed legislation that would have required law enforcement authorities to obtain warrants before searching suspects’ electronic communications. Governor Brown said the bill would impede investigations and would impose requirements beyond those in existing federal laws. This is the third time he has vetoed the legislation. [ComputerWorld] [Governor Brown’s Memo Explaining Veto]

US – Are Class-Actions Becoming Too Big To Settle?

The Recorder looks at privacy class-actions through the lens of recent suits against Google over its Street View and Gmail services, questioning whether it’s possible that plaintiffs now have too much leverage. Classes comprising millions of people and statutory damages could mean cases, such as the Street View case, become too expensive to strike a deal, the report states. As U.S. District Court Judge Richard Seeborg said in a recent class-action over Facebook’s sponsored stories, because of the class size, “even a modest per-class member payment could easily require a total settlement fund in the billions of dollars.” The “too-big-to-settle” phenomenon is likely to grow as Internet companies add to their user bases, the report states. [Full Story]

US – Does the U.S. Have a De Facto National DPA?

Traditional thinking posits that the U.S. does not have a national data protection authority. “But tell that to Google. Or TJX. Or CBR Sytems. Or any of the dozens of other companies that have been pursued by the U.S. FTC over the past several years for alleged data security or privacy violations,” writes Steptoe & Johnson Partner Jason Weinstein. In this installment of Privacy Perspectives, Weinstein writes, “The FTC has made itself America’s de facto data protection authority through aggressive use of Section 5 of the FTC Act,” and, thus far, “the FTC is batting a thousand…” Challenges from Wyndham Hotels and LabMD, however, “symbolize the frustration felt by many companies” that believe they have been victimized once by a breach and then again by the FTC. [Full Story]

US – Amendment Would Require EU Permission for U.S. Law Access

Lawmakers have introduced an amendment to the Data Protection Regulation being debated in the European Parliament that could require U.S. companies to seek clearance from European officials before complying with U.S. law enforcement requests for data, The New York Times reports. The amendment responds to U.S. NSA revelations and could be decided as soon as Monday, when the Committee on Civil Liberties, Justice and Home Affairs (LIBE) will vote on amendments to the European data protection regulation. A coalition of U.S. consumer, privacy and public interest groups have written to European Parliament expressing support for the proposed regulation. Meanwhile, a European official said the proposed regulation will not modify Safe Harbor, though there has been widespread speculation over Safe Harbor’s future. Wilson Sonsini Goodrich & Rosati’s Christopher Kuner in Brussels told the Daily Dashboard that while Safe Harbor has always been controversial and that controversy has reached a fever pitch following the Snowden revelations, he “doubts very much it will really be suspended. I think what they will push for is to get some improvements … I think it’s more realistic that Safe Harbor will always have some utility.” [Full Story]

US – PA House Passes 911 Privacy Bill reports, that the Pennsylvania House has passed HB 1041, providing an exemption to the state’s Right-To-Know law for information that could identify a 911 caller. The bill is sponsored by Joe Hackett (R-Delaware), who noted, “the identity of the caller must be kept confidential to prevent cases of retribution against informants and to ensure the public has a sense of safety and privacy when reporting a crime or other emergency.” The bill now heads to the Senate.

US – Texas AG Seeks to Stop Dating Service’s Database Sale

Texas Attorney General Greg Abbott wants to stop the sale of an online dating service because of concerns about the personal information involved. filed for bankruptcy protection more than a year ago and is selling its assets, which include a 43-million member database—two million of whom are Texans. “The proper course is for and its bankruptcy trustee to seek the customers’ permission before selling their private information to a third party—and that’s exactly what our legal action asks the bankruptcy court to require before the case proceeds,” Abbott said. [KFYO]

US – Is DoJ Setting Up New SCOTUS Wiretapping Test?

The U.S. Department of Justice is potentially setting up, for the first time, a Supreme Court test of whether it’s constitutional to notify a criminal defendant that evidence against him came from wiretapping. Additionally, the department’s National Security Division is looking through closed cases to find other defendants who faced similar evidence that resulted from a 2008 wiretapping law—which allowed eavesdropping on suspects without a warrant when the communications crossed borders, the report states. Columbia University Law Prof. Daniel Richman said, “It’s of real legal importance that components of the Justice Department disagreed about when they had a duty to tell a defendant that the surveillance program was used … It’s a big deal because one view covers so many more cases than the other, and this is an issue that should have come up repeatedly over the years.” [New York Times]

US – A Model Bill to Put CPOs in State DoEs

Sheila Kaplan, independent education and information policy researcher, student rights advocate and EPIC advisory board member, has written a model bill that would install chief privacy officers in state Departments of Education (DoEs). Kaplan outlines the problems she sees with FERPA, the risks of not adequately protecting data held by DoEs and why tackling this problem at the state level makes sense. “Students deserve a true advocate for their rights in a data-driven environment that often places profit and corporate interests above the privacy rights of children and their families. Those who bear responsibility for student records need a reliable resource to help them manage their obligations.”. [Privacy Tracker]

Workplace Privacy

US – State Medical Board Releases Social Media Guidelines

The Rhode Island Board of Medical Licensure and Discipline has released a set of guidelines for physicians’ use of social media to help establish acceptable patient privacy interaction, Health IT Security reports. The board’s Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice sets standards for protecting patients’ privacy, avoiding online requests for medical advice, acting with professionalism and being transparent about one’s credentials and aware that posts could be publicly available. In a Privacy Perspectives post earlier this year, Indiana University Health Chief Privacy Officer Valita Fredland wrote about why healthcare providers should utilize social media. [HealthIT Security]


01-16 October 2013


CA – Groups Come Together Against Gov’t Surveillance

Georgia Straight reports that more than 20 organizations convened in Vancouver to launch the Protect Our Privacy Coalition, a group of “citizens, experts, organizations and businesses” that “have come together to defend our right to privacy based on a common statement of principle.” Micheal Vonn, policy director for the BC Civil Liberties Association, says the group was formed in response to indications that Prime Minister Stephen Harper plans to implement sections of Bill C-30 , commonly known as the online surveillance bill, and Executive Director Steve Anderson points to revelations about spying by Communications Security Establishment Canada. [Full Story]

CA – CIRA CEO: Local IXPs Can Help Avoid Snooping

The Canadian Internet Registration Authority (CIRA) initiative to create local Internet exchange points (IXPs) “where carriers and communications providers directly connect with each other to exchange traffic”—keeping that Internet traffic out of U.S.-based exchanges. CIRA President and CEO Byron Holland noted, “All the events coming out of the U.S. with the NSA and the PRISM program highlight that it’s a good idea to keep traffic in your own jurisdiction as much as you can.” Without local IXPs, he explained, “I could be sending you an e-mail from downtown Ottawa to another point in Ottawa, and there’s a 40%- chance that will go through the U.S.” [IT Business]

CA – Change to Adoption Law Raises Concerns

Under current adoption law in Quebec, if an adopted child would like information about a birth parent, there is a process whereby a youth and family service center contacts the parent to see if they’d be interested in meeting or communicating. Similarly, the center acts as a pass-through should a parent who has given a child up for adoption want to meet that child later in life. Under a new proposed reform, however, children and parents would have to register a “veto” against their identities being given out, otherwise the information would be distributed upon request. Privacy concerns have been raised because while adopted children will have their veto automatically registered when the law passes, parents would have just 18 months to register their veto or have their identities made available. [The Montreal Gazette]

CA – Manitoba Legislation Awaits Proclamation

Manitoba’s new privacy legislation, which received Royal Assent last month, now awaits proclamation. The province’s Personal Information Protection and Identity Theft Prevention Act (PIPITPA) “will establish rules for the collection, use and disclosure of personal information, including employee information, for most organizations in the province,” the report states, noting, “At this time, the federal government has not determined whether PIPITPA is ‘substantially similar’ legislation, such that it will replace the Personal Information Protection and Electronic Documents Act within the province.” [Financial Post]

CA – BC Celebrates 20 Years of FIPPA With Video, Conference

British Columbia’s Office of the Information and Privacy Commissioner played host yesterday and today to a two-day conference, Privacy and Access 20/20: A New Vision for Information Rights, designed to both celebrate the 20th anniversary of the passing of the Freedom of Information and Protection of Privacy Act and to look forward to new challenges in information access and privacy. In a column for the Vancouver Sun, and accompanying video, Commissioner Elizabeth Denham lays out “some of the challenges we never envisioned in the early days of privacy legislation.” [Full Story]

CA – Denham: BC Laws Must Be Modernized

In an op-ed for marking the 20th anniversary of the province’s Freedom of Information and Protection of Privacy Act, BC Information and Privacy Commissioner Elizabeth Denham looks at the history of the law and the areas where reform and modernization are needed. Denham suggests the Document Disposal Act must be modernized to address public demand for transparency and accountability. Additionally, she calls for the province to anticipate the challenges of this age of Big Data, adding the province “should be more concerned with the magnitude and frequency of privacy breaches and data spills in the public and private sector.” [The Vancouver Sun]

CA – Remembering Canada’s First Commissioner

Justice Inger Hansen, Canada’s first privacy commissioner, who passed away on September 28, is remembered in an obituary. Hansen, who was born in Denmark in 1929, visited Canada for the first time in 1950 and emigrated a few years later. Appointed as Canada’s first privacy commissioner in 1977, she was “responsible for complaints relating to privacy rights and data protection, a field in which she soon became an internationally recognized authority.” In 1983, Hansen was appointed as Canada’s first information commissioner, and she went on to an appointment to the Ontario Court of Justice in 1991. A memorial service is planned for late October. [Ottawa Citizen]

CA – Union Loses Bid to Keep Recordings out of Court

A major Quebec labour union has lost its bid to prevent the provincial corruption inquiry from hearing wiretap conversations involving its senior leadership. The taped conversations of the FTQ union were taken by police during an investigation. The inquiry will only use those parts of the conversations related to “professional functions” and will not focus on individuals’ personal lives. “We must find a balance between private interests, the right to respect for privacy and the public interest in the search for truth and public information related to the mandate of the inquiry,” the commission wrote in its ruling. [CTV News]


WW – MasterCard Study Looks At Human Nature Vs. Online Privacy

MasterCard has released a study revealing that traditional demographics—age, gender, race—are poor indicators of consumer attitudes toward online privacy. MasterCard conducted interviews with 9,000 Internet users globally. Theodore Iacobuzio, MasterCard vice president of global insights, said, “We were blown away … It’s all about why you go online,” adding, “Why you go on determines your attitude toward data privacy.” Iacobuzio’s team defined five online personality types: passive users, proactive protectors, solely shoppers, open sharers and simply interactors. The study also found that privacy attitudes do not change; they “determine your behavior.” Iacobuzio said, “One of the real lessons of this piece is that consumers are well-aware of how to protect (their privacy) and whether they want to or not.” [The Washington Post] See also: [Forbes: U.S.-Style Personal Data Gathering Is Spreading Worldwide]


US – Yahoo Sued for Eavesdropping on E-Mail from Non-Yahoo Users

A complaint filed in the U.S. District Court for the Northern District of California alleges Yahoo violated California privacy and federal electronic communications laws by scanning nonusers’ e-mails in the name of targeted ads. The plaintiffs, who are not Yahoo users, allege Yahoo’s interception of messages sent to a Yahoo subscriber in order to profile, collect data and scan for keywords violates California’s Invasion of Privacy Act and the Electronic Communications Privacy Act. The complaint says the practice is “the type of behavior that the U.S. Congress and the California legislature has declared should not be tolerated in a free and civilized society.” [Bloomberg]

US – Harvard to Hold Meetings on E-mail Privacy Policy

A Harvard University taskforce will hold two meetings this month to collect feedback from students, faculty and staff on the school’s e-mail privacy policies. The move comes after fallout from revelations earlier this year that school administration officials covertly searched approximately 14,000 e-mails to find the leak that led to a cheating scandal. In addition to the two meetings, the taskforce has launched a discussion blog and has met several times over the summer to define “underlying principles and questions that it hopes to discuss with the community in the coming months,” according to a university statement, which added, “Among the principles: transparency about the realities of technology, the importance of fostering trust in the Harvard community and respect for the privacy interests necessary to ensure academic inquiry.” []

WW – Yahoo Webmail Gets Default SSL Protection in January

Yahoo has announced that starting on January 8, 2014, all Yahoo mail will be protected by SSL by default. Microsoft has offered optional SSL protection since 2010 and it has been default for Microsoft webmail since July 2012. Facebook implemented SSL for all connections several months ago; it has been an option since 2011. Twitter offered it as an option at the beginning on 2011 and made it default by August of that year. Google has had SSL on by default since 2010, an option since 2008. Yahoo began offering the option of SSL encryption earlier this year. [WashPost] [CNET] [Register]

Electronic Records

US – McAfee: “What Idiot Put This System out There?”

While some said the criticism of privacy protections in the Affordable Care Act’s implementation was political grandstanding, at least one noted cybersecurity guru is right there with them. In a scathing criticism of the technical implementation of the Affordable Care Act, John McAfee said it is a hacker’s “dream.” Because there is no central organization of the program, “anybody can put up a web page and claim to be a broker for this system … [and] it’s not something software can solve.” An unsuspecting person is likely to think a rogue website is real, deliver up Social Security number and various other intimate health details, only to discover the site is fake and built to steal identities. Retirees, McAfee predicts, will have their savings “wiped out in one day because [they] signed up for Obamacare.” [Full Story]


WW – Researcher Finds Encryption Flaw in WhatsApp

A security researcher said he has found an encryption flaw making it possible for adversaries to decrypt communications sent with WhatsApp, though developers say the messages are “fully encrypted” and the company’s CEO says the report is “sensationalized and overblown.” A computer science and mathematics student wrote in a blog posted Tuesday, “You should consider all your previous WhatsApp conversations compromised,” adding, “There is nothing a WhatsApp user can do about this … except to stop using it until the developers can update it.” [Ars Technica]

US – Lavabit Founder Appealing Govt’s Order to Turn Over Encryption Keys

Ladar Levison, owner of the now-shuttered secure email service Lavabit, is asking the Fourth Circuit Court of Appeals in Virginia to rule that the government’s orders earlier this year demanding that the company surrender its private SSL keys were unlawful. Levison is hoping to reopen the business. While Edward Snowden has not been named in connection with the Lavabit case, it seems likely that it was Snowden’s communications the government sought when they demanded that Levison turn over the keys. Levison eventually relented, but shut down his company immediately after surrendering the keys, saying that he would rather shut down his business than be “complicit in crimes against the American people.” [WIRED] [NBC News]

WW – Lavabit Users Will Have Brief Window to Reset Passwords, Retrieve Data

Lavabit will reopen for a brief window of time to allow users retrieve their data from the company’s servers. Starting at 8 PM US Eastern time on Monday, October 14, users have 72 hours to change their passwords. Following that period, users will have a short window of time to retrieve an archive of their stored messages and account data. [CNET] [Engadget]

US – US Govt Demanded Lavabit Encryption Keys

Recently unsealed documents in a court case regarding secure email provider Lavabit’s appeal of a US government demand for information show that the government had ordered Lavabit to provide it with its SSL keys. The order reads, in part, “The court determines that there is reason to believe that notification of the existence of this order will seriously jeopardize the ongoing investigation.” Levison says he suggested logging Snowden’s communications, decrypting them and uploading them to a government server on a daily basis. But the government wanted the private SSL certificate used to encrypt all Lavabit traffic. He initially provided the encryption keys in hardcopy format, printed out as strings of numbers. When he was found to be in contempt of court for this action, being fines US $5,000 a day, he eventually relented and provided the government with the electronic keys but the immediately shut down his business. [ArsTechnica] [ComputerWorld] [WIRED] [ZDNet] [Register] [Pleadings Exhibits (Redacte)]

EU Developments

EU – Groups Lobbying “Furiously” Ahead of Oct. 21 Regulation Vote

The European Parliament’s vote on “the introduction of the harsh new Data Protection Regulation,” scheduled for October 21, suggesting it will place the “battle between Big Data and individual privacy” front and center. With such organizations as the World Federation of Advertisers and the Industry Coalition for Data Protection “furiously lobbying ahead of the vote, hoping for a lighter-touch regime to protect the interests of business,” the report notes that while this month’s vote is not the last step in the process, “it is a key step in determining the outcome.” [AdAge]

EU – Justice Ministers Support “One-Stop Shop”

European justice ministers on Monday agreed “in principle” to accepting a “one-stop shop” framework for organizations doing business within the EU. The rule would set up a system whereby businesses processing personal data of Europeans would report to one data protection authority instead of as many as 28. French officials had called for a joint decision-making panel among data protection authorities, but Irish officials strongly opposed the proposal. Both Google and Facebook have their European headquarters in Ireland. Lithuanian Justice Minister Juozas Bernatonis said the aim is “to ensure legal certainty and reduce the administrative burden.” EU Justice Commissioner Viviane Reding said the move will benefit the consumer: “A citizen who has a problem will address himself to his own data protection authority not, as is currently often the case, a foreign authority.” [IDG News Service]

EU – U.S. Safe Harbor, Australian Gov’t Actions Questioned

The European Parliament’s Electronic Mass Surveillance of EU Citizens Inquiry is discussing the EU-U.S. Safe Harbor data sharing agreement and has concerns about “the system is flawed and allows for wide-scale abuse by the firms themselves and easy infiltration by U.S. intelligence agencies.” Christopher Connolly of Australian-based consulting firm Galexia told the committee that “many claims of Safe Harbor membership are false“—to the tune of 427 organizations “with hundreds of millions of customers.” Meanwhile, ABC News reports on documents obtained under Freedom of Information laws showing Australia’s government “knew about the secret U.S. Internet spying program PRISM months before a whistleblower made details public.” [Press TV]

UK – Privacy Groups Taking GCHQ to Court

Privacy advocates Big Brother Watch, the Open Rights Group, English PEN and Constanze Kurz have filed a legal challenge claiming GCHG’s “mass online surveillance programmes have breached the privacy of tens of millions of people across the UK and Europe,” The Guardian reports. UK MPs cleared GCHQ of any wrongdoing, and Privacy International has launched a case that will be heard by the Investigatory Powers Tribunal, but Nick Pickles of Big Brother Watch has said, “Parliament did not envisage or intend those laws to permit scooping up details of every communication we send, including content, so it’s absolutely right that GCHQ is held accountable in the courts for its actions.” [Full Story]

EU – Dutch Gov’t Wants Input on Cookie Rules Change

The Dutch government has introduced a proposal for a change in cookie rules and is seeking public input, Mondaq reports. The proposed amendment was introduced by the minister of economic affairs in May and is symbolic of the new way the Dutch government looks at cookies. It aims to exempt some cookies from rules in that if browsers allow users to actively configure settings, implicit consent may be an acceptable method, the report states. [Full Story]

EU – Will Regulation Create Euro-Only Cloud?

While the originally proposed EU Data Privacy Regulation did not include provisions to address cloud computing, several amendments have been added since. The New York Times reports that among those proposed, one bars transfers of data from EU to U.S. clouds without informed consent and another would require such transfers to come with a notification “to the data subject of such transfer and its legal effects.” EC Vice President Neelie Kroes says, “European citizens will not embrace the cloud if they are worried for their privacy or for the security of their data,” and other EU regulators seem to agree, calling for the development of European clouds. But outside the EU, others question the effect of creating European clouds. [Full Story]

EU – Avoiding Breach Fines

With a new 24-hour breach reporting mandate in place for companies doing business in the EU, WatchDox Co-founder and CEO Moti Rafalin writes. “Businesses in Europe now get a single day in which to figure out what went wrong, who could be hurt by it and how they will prevent it from happening again,” adding, “With that kind of stringent reporting regulation on the books, it’s hard to imagine why any electronic communication service companies … would fail to do everything possible to avoid security breaches.” With potentially more strict breach mandates on the horizon within the proposed EU regulation, “the choice organizations face now is whether to invest in prevention or suffer the consequences of data loss in the face of new regulations and potential litigation,” Rafalin writes. [ITProPortal]

EU – Netflix Dutch Privacy Violations: Watchdog Finds Itself Unable to Bite

Online streaming service Netflix has been found in violation of Dutch privacy law, but the nation’s data protection authority is unable to take action because the company’s European headquarters is located in Luxembourg. If the company had been located in The Netherlands or outside of Europe, the regulator would have been able to take action. According to Dutch law, businesses need explicit consent from customers prior to processing data that can be directly or indirectly traced back to an individual. Sander Dekker, The Netherlands’ secretary of education, said, “Netflix gathers so much information of its customers that this can be considered extremely sensitive data … customers must give their express consent for that, which, in case of Netflix, they have not.” [ZDNet]

EU – Microsoft Asked by EU Privacy Watchdogs to ‘Improve’ Policies

European data protection regulators have asked Microsoft to tweak its Internet product policies as part of a formal probe into privacy issues. The Article 29 Working Party has “identified a number of areas where improvements are required,” according to a statement. “Microsoft was asked to send its response very shortly, explaining how and when it would implement” the recommendations. The regulators added they are confident that an agreement will soon be reached and indicated Microsoft has been cooperative during the investigation. [Bloomberg]


US – Justice Asks FISC Not to Allow Companies to Divulge Data Request Details

The US Justice Department (DoJ) has asked the FISC to deny a request from major technology companies, such as Google, Microsoft and Facebook, to publish additional details about requests for information they have received from the government. According to a September 30 DoJ filing, divulging the specific numbers of requests, and in some instances, the nature of the requests, would “be invaluable to our adversaries.” The companies expressed their disappointment, with a yahoo spokesperson noting that the decision “ultimately breeds distrust and suspicion – both of the United States and of companies that must comply with [their] directives.” [WashPost]


WW – Google Unveils Plans for User Names, Comments to Appear In Ads

Google plans to launch ads similar to Facebook’s “social” ads, which incorporate photos, comments and names of users. The changes were announced in the company’s revised terms of service last week. EPIC’s Marc Rotenberg said such ads unfairly commercialize Internet users’ images. Sen. Ed Markey (D-MA) has asked the Federal Trade Commission (FTC) to look at Google’s privacy changes, writing in a letter to the FTC that the policy raises questions about “whether Google is altering its privacy policy in a manner inconsistent with its consent agreement with the commission and, if the changes go into effect, the degree to which users’ identities, words and opinions could be shared across the web.” [Reuters]

US – Google Wins Dismissal of Suit Over Web Browser Cookies

Google has won the dismissal of a lawsuit that alleged it had violated computer users’ rights by slipping electronic cookies into their web browsers in the name of targeted advertising. Consumers sued in federal court alleging Google tricked their browsers into accepting the cookies. But U.S. District Court Judge Sue Robinson said in her opinion that users “didn’t demonstrate that Google intercepted any ‘contents or meaning’” under California’s Invasion of Privacy Act, the report states. [Bloomberg]

WW – Google Modifies Analytics In EU-Wide Privacy Concession

In a surprise turnaround, Google will begin offering data processing agreements to websites using Google Analytics in the EU, Iceland, Norway and Switzerland. Since 2011, Google has only offered the agreements in Germany, but after pressure from the Article 29 Working Party to make the agreements EU-wide, Google said in a statement, “Over the last few years, Google Analytics customers have asked us to offer data processing agreements that clarify how Analytics data is stored, used and secured. In response to this demand, we’re pleased to provide an optional data processing agreement to Google Analytics customers,” adding, so far, the agreement will only be available in English. The Dutch data protection authority (DPA) has not yet commented, but one privacy expert said the move is significant, adding, “It’s clearly the result of the close coordination of the different DPAs in this case.” Meanwhile, the U.S. Supreme Court has declined a Google Adwords privacy lawsuit. [IDG News Service]

US – Google Wants Wiretap Law Review Before Trial

Google has asked a federal judge for permission to take questions about federal wiretapping laws before a Gmail class-action advances any further. Multi-district claims over Google’s changes to its privacy policy last year have been combined into a single, massive class-action accusing the company of violating federal and state wiretapping, privacy and computer fraud laws. In a recent filing, Google said it wants questions about exceptions to the Electronic Communications Privacy Act answered by the Ninth Circuit before the suit moves forward. [Courthouse News Service]

Health / Medical

US – Texas HSA Tells Providers: Get Certified

The Texas Health Services Authority is encouraging HIPAA-compliance for providers and its call for providers to become privacy and/or security-certified. Citing the potential penalties at the state and federal level—including the Texas Medical Records Privacy Act’s authorization of fines ranging from $5,000 to $1.5 million per violation—the report highlights the authority’s efforts moving forward on a voluntary HIPAA compliance certification program authorized in a 2011 state law. The Health Information Trust Alliance is creating the certification recommendations .[HealthData Management]

US – Tiger Team Hears “Accounting for Disclosures” Testimony

At a hearing before the Health IT Policy Committee’s Privacy and Security Tiger Team on providing patients with information about access to their healthcare data. The hearing on the “Accounting for Disclosures” policy mandated by the HITECH Act included comments from various stakeholders. Patient Privacy Rights’ Deborah Peel “recommended that regulators require health IT developers to provide open access to logs that record every instance a patient’s digital health information is accessed or shared over a network,” the report states, while “doctors, insurers and software developers said such a policy is not feasible.” The committee is currently scheduled to meet October 9. [iHealthBeat]

Horror Stories

WW – Adobe Issues Security Updates for Reader, Acrobat, and RoboHelp

On Tuesday, October 8, Adobe released two security updates for Reader and Acrobat. The first update addresses a memory corruption flaw in RoboHelp 10 publishing software. The second update addresses a regression in Reader and Acrobat that affects Javascript security controls. Both updates are for Windows only. [Internet Storm Center] [SANS Bulletin] [SC Magazine] [CBR online] [InfoSecurity] [Reader and Acrobat]

WW – Attackers Steal Adobe Product Source Code and Access Customer Data

Hackers broke into Adobe’s network where they stole source code for a number of products, including Acrobat, ColdFusion, and ColdFusion Builder. They also accessed customer data, including account login credentials and nearly three million payment card records. The stolen data were stored on the same server used by the criminals who stole data from LexisNexis, Kroll, and Dun & Bradstreet. Adobe believes the attackers accessed the source code repository in mid-August. [Krebs] [CNET] [ArsTechnica] [BankInfoSecurity] Adobe Announcements: [Illegal Access to Adobe Source Code] [Customer Security Announcement] [Internet Storm Center:]

WW –2.9 Million Customers Affected by Cyber-Attack

Adobe has confirmed that 2.9 million customers had private data including passwords and payment card information stolen “during a ‘sophisticated’ cyber-attack on its website,” BBC reports. The illegal access of a variety of products’ source code is also being investigated, the report states. “We deeply regret that this incident occurred,” said Adobe CSO Brad Arkin, adding, “Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.” However, a security expert has told BBC, “Access to the source code could be very serious … if hackers manage to embed malicious code in official-looking software updates, they could potentially take control of millions of machines.” [BBC]

WW – October Shaping Up to Be Month of Innumerable Breaches

PII lost, stolen or compromised through human error. Cybersecurity concerns. Health data lost. Amidst this month’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach could be. “If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said. However, as The Wall Street Journal reports , he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.” In this exclusive for, we round-up an already very busy month in data breaches and responses. [The Privacy Advisor] Amidst last week’s reports of a hack affecting 2.9 million customers, Adobe is resetting relevant customer passwords and “notifying customers whose credit or debit card information may have been compromised.” Meanwhile, in the wake of privacy concerns about the reuse of inactive Yahoo e-mail addresses, PCWorld reports on Microsoft’s recycling of old addresses . And from medical data to personal information, breaches are being reported across the globe. In the UK, human error resulted in the exposure of hundreds of personal e-mail addresses, while the Information Commissioner’s Office has revealed that despite prior warnings, sensitive personal data was “incorrectly handled” by Luton Borough Council staff. In Ireland, The Journal reports on 11 patient data breaches at hospitals in a six-month period. And in the U.S., North Carolina-based CaroMont Health exposed about 1,300 patients’ data in an unsecure e-mail, and Natural Provisions, a Vermont grocery store chain, has agreed to pay $30,000 to settle a violation of state data breach laws. [Mondaq]

US – School District, Health-Related Breaches Reported

A New Orleans teachers’ union claims the East Baton Rouge Parish school system violated its employees’ privacy rights when it purchased a full-page ad to congratulate—by name—1,113 educators, The Advocate reports. In Illinois, a local hospital is alerting some of its patients of a possible data breach after a laptop was stolen from an employee’s car. In California, a public health unit is notifying almost 600 patients that their protected health information has been compromised after a laptop was stolen there. And in Iowa, law enforcement is investigating a breach of electronic medical records after a third-party company gained access to the system using an authorized user’s password. Meanwhile, healthcare experts have been discussing concerns related to the need to share veterans’ healthcare data and recent breaches at Veterans Affairs. [Full Story]

Internet / WWW

US – Ad Groups Working on New Tech for Opt-Out

With the W3C’s efforts on Do Not Track moving along again with a call October 9, The San Francisco Chronicle details work by the Digital Advertising Alliance and the Interactive Advertising Bureau to develop technology that would allow consumers to opt out of online tracking “when methods other than traditional cookies are deployed.” The article focuses on a firm called BlueKai, which develops technology for data transfer independent of cookies, but with “the same transparency and notices that cookies have.” [Full Story]

US – Silk Road Bust Shows Feds Penetrating Deep Internet Anonymity

The bust this week of the notorious online entrepreneur Dread Pirate Roberts, now known to be Ross William Ulbricht, a 29-year-old from San Francisco, CA, and the closing of his Silk Road online marketplace for illicit drugs and other sundries, shows U.S. law enforcement is infiltrating ever deeper into the “Deepnet” or “hidden Internet.” Silk Road operated on the Tor anonymity network and was used by thousands to get home deliveries of everything from cocaine to fake passports. Because of Tor’s ability to shield IP addresses and online personas, it can be difficult to uncover the identities of those running these kinds of marketplaces that are hidden from the vast majority of Internet users. In this case, it may be that Ulbricht was undone by his use of a Gmail address. [CSO Online]

US – “Big Data” Likened to Atomic Power and Other NSA-Related News

A scientist suggests that Big Data is akin to atomic energy in that “it’s very beneficial when used ethically and downright destructive when turned into a weapon.” Meanwhile, in its ongoing series examining the digital trails we leave behind “and who potentially has access,” NPR considers whether the Fourth Amendment provides any protection. And a Tech Dirt feature focuses on 2013 IAPP Vanguard Award winner and former Department of Homeland Security (DHS) CPO Mary Ellen Callahan, founder and chair of Jenner & Block’s Privacy and Information Governance Practice. The report cites Callahan’s comments in support of protecting Americans’ privacy rights amidst what its author references as a “lack of respect for privacy in both (DHS) and the wider intelligence community.” [TechDirt]

Law Enforcement

CA – Police Consider Wearable Cameras

The Toronto Police Service is considering wearable cameras for its police force. The aim of the wearable cameras is to provide the police and the public with better accountability. Deputy Chief Peter Sloly said the force is in the process of researching the cameras and understanding the potential logistical factors. “We’ll have to look at the IT supports,” he said, “the governance—there’ll be privacy issues.” The cameras would potentially be worn on glasses to record incidents from the officer’s view. A representative from the Canadian Civil Liberties Association has expressed concern over the technology, saying that “if you have all these things on your databases, what are the other potential uses of this? Have they thought this through?” [The Globe and Mail]


US – Advertisers Finding New Ways to Track Mobile Users

New trends in mobile tracking—even if “tracking is a dirty word” now, according to Eric Rosenblum, COO at Drawbridge, a start-up that is “observing your behaviors and connecting your profile to mobile devices.” Thus, advertisers are now able to connect desktop browsing with mobile devices based on app downloads and other indicators. Other firms, like Flurry, Velti and SessionM are doing similar work in helping advertisers like Ford, American Express and Expedia better target potential customers, according to the report. For many advertisers, the report says, “cookies are becoming irrelevant.” [The Boston Globe]

WW – Indoor Location Market Set to Boom; Privacy Concerns Loom

Steve Smith writes that one of the upcoming battlegrounds in the mobile sphere “is not over accessing everyone everywhere but over very specific places and the people moving within them,” adding, “The indoor location market is suddenly about to boom.” According to ABI Research, within the next year there will be at least 25,000 mapping and indoor location technology installations across the globe as well as the handsets supporting such technology. An ABI director wrote, “Apple hasn’t made a big marketing deal on indoor with the new iPhone 5s, largely because the ecosystem isn’t in place yet.” But within the phone there “is a hardware platform that is now well-placed to support ‘always-on’ indoor location, sensor fusion and ambient intelligence.” Meanwhile, Apple’s new iOS7’s tracking capabilities—particularly its “Frequent Locations“ function—and the new iPhone’s motion sensor chip are raising privacy concerns. [MediaPost]

WW – Bolstering Brick-and-Mortar Transparency

Improved technology now allows brick-and-mortar retailers to collect data—including location and contacts—from customers’ smartphones, but according to research conducted by Create with Context (CwC), only 33% of the customers surveyed were aware of such collection. Previous research has revealed that when customers are unaware of such data collection—but then find out about it later—trust erodes. “How, then,” Ilana Westerman and Gabriela Aschenberger, both of CwC, ask, “can businesses create transparency around data collection?” [Full Story]

WW – App Tracks Consumers in Exchange for Discounts

A new shopping app tracks consumers and gives them discounts based on their location. Capable of detecting microlocation—detecting such minute details as the aisle of a store in which a consumer is standing—it communicates with the Bluetooth in users’ cellphones and alerts them to tailor-made discounts. The app’s investors and CEO “are betting on the fact that consumers won’t mind tracking if they get a significant payback from it,” the report states. The app raised $8 million in venture capital Tuesday. [Blouin News]

Online Privacy

WW – Facebook No Longer Lets Users Hide from Search

Facebook has announced the final phase of removing an old privacy feature from the site. The feature, called “Who can look up your timeline by name?” allowed users to be hidden from searches if they so chose. Those users will now begin to see removal notices from Facebook. Now, user “timelines” will only be private when marked to be seen by “friends only.” Facebook says only a single-digit percentage of users on its network were using the setting. [USA TODAY]

EU – Privacy Group Receives Facebook Response

Privacy activist group Europe-v-Facebook has received responses from Facebook to complaints about the company’s privacy policy, but the Irish Data Protection Commissioner (DPC) said the group was barred from releasing them, Computerworld reports. According to the group’s website, however, the DPC has clarified its decision and will allow the group to publish the 200-page response. The group originally filed the complaints with Facebook two years ago, claiming the social network’s privacy policies violate European data protection law. “After two years of constant battling, we finally received the ‘counterarguments’ by Facebook,” wrote Europe-v-Facebook, which now has until October 17 to comment on Facebook’s responses. The DPC will circulate a draft of its decision in the case prior to publishing its final decision. [Full Story]

WW – W3C Do Not Track in Limbo

The W3C’s Tracking Protection Working Group voted on whether to continue its efforts. The results? That remains unclear. The voting itself is public and can be found here. However, even one of the group’s new chairs isn’t sure how to interpret the results. With no option clearly the winner, the Center for Democracy and Technology’s Justin Brookman, who joined the group as chair just last month , said he is unsure of the group’s next step, adding W3C Director Tim Berners-Lee would make the ultimate decision. [The Privacy Advisor]

WW – W3C to Vote on DNT Effort

Web standards group the World Wide Web Consortium is set to vote Wednesday on whether it will continue with its Do-Not-Track (DNT) standard. Justin Brookman, the group’s newly appointed co-chairman, said he expects stakeholders “will express a desire to move forward,” adding, “We’ve had a couple of calls under the new leadership now, and so far the new structure seems to be working.” If the group expresses a desire to not move forward, Brookman said it would be “better to end it now than spend another two years squabbling and not coming to a resolution because people aren’t invested in the process.” The Washington Post reports that the increasing move by consumers to mobile will likely make current cookie-based DNT technology less relevant. According to several surveys, the majority of users now surf the web via mobile apps rather than browsers. [The Hill]

WW – Facebook Changes Teen Privacy Rules

Facebook has announced it has changed its privacy rules for teenagers allowing them to now “post status updates, videos and images that can be seen by anyone, not just their friends or people who know their friends.” Those between the ages of 13 and 17 will have their sharing default set to “friends,” but they will receive a notice of their options. The move is prompting concerns that while the changes have been described as giving teens “more choice, big money is at stake for the company and its advertisers,” a report by The New York Times states. Author Emily Bazelon cautions, “It’s risky to have teenagers posting publicly. The kids who might be the most likely to do that might not have the best judgment about what they post.” [Facebook]

US – DMA Releases Study Touting Data-Driven Job Production

The Direct Marketing Association (DMA) has released a study indicating data-driven marketing led to 675,000 jobs in the U.S. in 2012. The study responds to an increasing focus on regulating online tracking and data-driven marketing, a push that often puts the online ad industry on the defensive. The DMA’s Rachel Thomas said the study’s release aims to help change that. Meanwhile, the Better Business Bureau says “a ‘significant minority’ of publishers don’t follow self-regulatory rules requiring enhanced notice about data collection,” MediaPost reports. [The Hill]

US – Data-Mining App Receives $10M in Funding

Refresh, a mobile app mines data of individuals present at meetings by gleaning information from social networks and other publicly available sources, and how the app has just received $10 million in venture capital. Refresh founder Bhavin Shah said, “It’s common now for each of us to have 10-plus years of posts, tweets, job history, Q&A, check-ins, etc. Now is the right time to start leveraging that fragmented information to make us more thoughtful and intelligent about our friends, colleagues and everyone we meet.” He added that Refresh’s work “allows us to anticipate who you’re going to meet today and consolidate interesting information about them into a just-in-time dossier delivered to your smartphone.” [Fast Company]

Other Jurisdictions

AU – OAIC Releases Best Practice Guide for Apps

The Office of the Australian Information Commissioner (OAIC) has unveiled a guide to help mobile app developers embed better privacy practices into their products. Mobile Privacy: A Better Practice Guide for Mobile App Developers recommends developers use short privacy notices. Privacy Commissioner Timothy Pilgrim said app developers should adopt a Privacy-by-Design approach. “The mobile apps that take privacy seriously will be the ones that stand out from the crowd and gain user trust,” he said. A ZDNet report, however, suggests, “Short of enforcing privacy laws on app store curators, it is doubtful that the developers will implement the otherwise worthy privacy protections.” Meanwhile, the OAIC’s 2013 Community Attitudes to Privacy Survey, which will be released in full on 9 October, indicates six in 10 Australians choose not to use smartphones apps due to privacy concerns. [TechWorld]

AU – Gov’t Urged to Rewrite Terms of Reference

The federal government has been urged to rewrite the terms of reference for its inquiry into privacy law. The terms of reference were drawn up by former Attorney-General Mark Dreyfus and require the commission “to produce detailed plans for a privacy tort or statutory cause of action,” the report states. The commission is expected to publish an issues paper next week based on those terms of reference, the report states. In the last six months, it has become clear “the major threat to privacy is the role of the state,” said Media Entertainment and Arts Alliance Secretary Chris Warren, adding that large data aggregators are going to be a key issue moving forward. [The Australian]

ZB – Zimbabwe Passes Centralized SIM Card Database

The Statutory Instrument 142 of 2013 on Postal and Telecommunications (Subscriber Registration) Regulations 2013 establishes a central database of information about all mobile telephone users in the country based on powers granted through the Interception of Communications Act. The Statutory Instrument requires telecommunications providers to establish a subscriber database of all SIM card holders including phone numbers, names, addresses, genders, nationalities and passport or ID numbers, then regularly submit copies to the government, which will create its own central subscriber information database. [Kubatana]

Privacy (US)

US – Markey Urges FTC to Vet Tracking Technologies

Sen. Ed Markey (D-MA) has called on the FTC to investigate technologies that allow companies to track users across multiple devices. “Such persistent and pervasive tracking raises a number of important privacy concerns for all Americans,” Markey said in a letter to the FTC Thursday. Meanwhile, a new report from privacy researchers indicates many websites are using new technology to secretly track users’ browsing habits. At the EmTech 2013 conference in Cambridge, MA, this week, a senior advisor to Microsoft CEO Steve Ballmer said a new privacy model is needed to address the ways data is gathered, eWEEK reports. [The Hill]

US – Airbnb Says “Nay” to AG’s Request for Data

New York State Attorney General (AG) Eric Schneiderman demanded that apartment-sharing site Airbnb release user data on 15,000 New York City apartment hosts to investigate the legality of the site, but Airbnb has filed a motion in the New York State Supreme Court objecting to the AG’s demands. In a statement, an Airbnb spokesman said, “The subpoena issued by the attorney general last Friday goes well beyond bad actors and demands information about thousands of regular Airbnb hosts in New York. So, we made it clear to the attorney general’s office from the very beginning that we would never agree to this type of government-sponsored fishing expedition.” [Business Insider]

US – Hulu Seeks Dismissal of VPPA Case

Hulu is seeking dismissal of a lawsuit accusing it of violating the federal Video Privacy Protection Act (VPPA) “on the grounds that the web users who filed suit didn’t suffer any injuries,” MediaPost News reports. Hulu is facing a potential class-action for allegedly violating the law “by revealing information about their movie-viewing history to comScore and Facebook,” the report states. But in court papers filed Wednesday, Hulu contends that the law specifies those who are “aggrieved” by violations may seek damages. “Congress could have worded the VPPA to provide monetary relief merely on a showing of an improper disclosure,” Hulu’s motion states. “But it did not do so.” [Full Story]

US – One Class-Action Dismissed; Another Dismissal Sought

A class-action suit against an ISP that partnered with ad targeting company NebuAd back in 2008 has been dismissed by an Illinois federal judge, while Symantec is seeking a dismissal of an unrelated class-action. In the NebuAd-related case, U.S. District Judge Edmond E. Chang has ruled that ISP WideOpen West Finance LLC “faces no liability” under privacy laws. In the Symantec case, the company has asked a California federal judge “to toss a user’s amended proposed class-action accusing the software company of concealing a data breach by hackers who stole source code, calling the user’s claims vague and deliberately obtuse,” the report states. [Law 360]

US – Group Presses for Safeguards on the Personal Data of Schoolchildren

Common Sense Media is calling for the educational technology software industry “to develop national safeguards for the personal data collected about students from kindergarten through high school.” In a letter sent to 16 educational technology vendors, the advocacy group urged that student data be used “only for educational purposes and not for marketing products to children or their families.” Common Sense Media CEO James P. Steyer said, “We believe in the power of education technology, used wisely, to transform learning … But students should not have to surrender their privacy at the schoolhouse door.” [The New York Times]

US – State AG: Federal Breach Law? No Way

Amidst the ongoing U.S. government shutdown, representatives from state AG offices taking part in the literarily titled panel discussion “The Widening Gyre of State AGs” at this week’s IAPP Privacy Academy were asked whether there should be one all-encompassing federal data breach notification law. In this exclusive for The Privacy Advisor, Sam Pfeifle reports on their reactions. As Vermont AG William Sorrell put it, “You’d like to have this organization, the U.S. Congress—upon which, what, eight percent of Americans look favorably—you want us to say, ‘Oh, yes, we’re going to trust that body of public servants to do what’s right for our states’ citizens?’ No way.” [Full Story]

US – Callahan Named Vanguard; Innovation Award Recipients Announced

And the 2013 Privacy Vanguard Award goes to Mary Ellen Callahan, former chief privacy officer of the U.S. Department of Homeland Security. Announced Tuesday evening at the annual IAPP Privacy Dinner held in conjunction with the IAPP Privacy Academy in Seattle, WA, Callahan, who is founder and current chair of Jenner & Block’s Privacy and Information Governance Practice, was praised for her visionary leadership and extensive work in consumer protection law. Also at the Privacy Dinner, this year’s HP-IAPP Privacy Innovation Awards recipients were announced. Johnson & Johnson, Canadian Primary Care Sentinel Surveillance Network and Considerati were honored for their unique programs. [Full Story]

US – Advocates Call for Open Talks, Warn NSA Weakening Cybersecurity

A group of privacy advocates is warning that attempts by the U.S. National Security Agency (NSA) to weaken encryption for surveillance access will create mistrust in U.S.-based Internet companies around the world. Alan Davidson, a visiting scholar at the Massachusetts Institute of Technology and former Google public policy director, said for U.S. businesses, it is “terribly debilitating and undermining to have the rest of the world thinking there have been backdoors built into their systems to help the U.S. government.” The developments will also erode trust in the U.S. National Institute of Standards and Technology because of reports the standards group aided the NSA in tampering with the standards. Meanwhile, six privacy advocacy organizations are calling on the U.S. House of Representatives Privacy Working Group’s leaders to open up its meetings with tech companies to the public. [PC World]

US – One Class-Action Dismissed; Another Dismissal Sought

A class-action suit against an ISP that partnered with ad targeting company NebuAd back in 2008 has been dismissed by an Illinois federal judge, while Symantec is seeking a dismissal of an unrelated class-action. In the NebuAd-related case, U.S. District Judge Edmond E. Chang has ruled that ISP WideOpen West Finance LLC “faces no liability” under privacy laws. In the Symantec case, the company has asked a California federal judge “to toss a user’s amended proposed class-action accusing the software company of concealing a data breach by hackers who stole source code, calling the user’s claims vague and deliberately obtuse,” the report states. [Law 360]

US – Eggers Book Satirizes Threat to Privacy

Dave Eggers’ book The Circle, satirizes the threat to personal privacy from technology giants. “Entertained at nightly campus events by famous musicians and artists, fed by celebrity chefs and bombarded by swag, employees of the Circle corporation are expected to bask in their mutual privilege through constant oversharing in the company’s thriving social networks,” the report states. The book’s protagonist, through incentives, begins living a fully transparent life online, delivering Eggers’ message that “too many of us flock to the Internet all too willing to abandon any sense of privacy around both our personal information and our inner lives.” The New York Times  wonders if the novel will change the way we use technology. [The Associated Press]

US – Student Data Repository Debate Continues

The New York Times reports on the ongoing questions surrounding school district plans to outsource student data storage and the privacy implications. The article focuses on how a Colorado superintendent saw nonprofit data repository inBloom as a fix for managing data currently in multiple databases in the cloud. But “a series of parents, school board members and privacy lawyers assailed the plan to outsource student data storage to inBloom.” Among those who voiced concerns was EPIC’s Khaliah Barnes, who said, “While we understand the value of data for promoting and evaluating personalized learning, there are too few safeguards for the amount of data collected and transmitted from schools to private companies.” The district is expected to decide on the plan by January, the report states. [New York Times]

US – Rosenthal Is NAI’s New General Counsel, VP

The Network Advertising Initiative (NAI) has announced that longtime member company representative Noga Rosenthal has joined the NAI as its general counsel and vice president of compliance and policy. Rosenthal, who was formerly the senior vice president of 24/7 Media and Media Innovation Group, LLC, “will assist the NAI in its core mission of reinforcing responsible business and data management best practices through the development and rigorous enforcement of high standards.” “With online advertising expanding every year and the role of third parties and the technologies they employ highly debated by lawmakers and industry representatives, it is an incredibly important time to be joining the NAI team,” Rosenthal said. [Ad Ops]

US – AGs: We Aren’t Afraid to Flex Our Muscles

Representatives from the offices of three state attorneys general (AGs) said they aren’t reluctant to bring actions against companies involved in data breaches. Vermont Attorney General William Sorrell said AGs would bring such action to “serve as an example to other companies and … to have a relatively equal playing field.” Joanne McNabb of the California AG’s office pointed to the recent creation of a privacy unit under California AG Kamala Harris as proof of privacy’s importance to the state. [Bloomberg]

US – Hulu Seeks Dismissal of VPPA Case

Hulu is seeking dismissal of a lawsuit accusing it of violating the federal Video Privacy Protection Act (VPPA) “on the grounds that the web users who filed suit didn’t suffer any injuries.” Hulu is facing a potential class-action for allegedly violating the law “by revealing information about their movie-viewing history to comScore and Facebook,” the report states. But in court papers filed Wednesday, Hulu contends that the law specifies those who are “aggrieved” by violations may seek damages. “Congress could have worded the VPPA to provide monetary relief merely on a showing of an improper disclosure,” Hulu’s motion states. “But it did not do so.” [MediaPost News]

Privacy Enhancing Technologies (PETs)

WW – Cyber security: Privacy experts profit from Prism uproar

A burgeoning privacy-enhancing technology business and the rising profits is stemming from Edward Snowden’s surveillance disclosures. Businesses and governments, in addition to journalists, are demanding encryption services for protection. Silent Circle, which offers text and phone encryption services, is used by 16 of the Fortune 50 companies. Silent Circle CEO Mike Janke said, “We were growing 100% a year before the NSA/PRISM scandal; now we are growing at 400%.” He added, “Ten years ago, if you had encryption on a device, people asked what you are hiding. Now if you’re a businessperson and you don’t have it, people ask if you’re stupid.” Capital is also being invested in the privacy tech industry. All Things D reports that privacy startup Personal, which offers a digital vault service, has raised $4.5 million. According to USA Today, Yahoo will begin default encryption services in January. [Financial Times]


WW –Shortage of Cyber Security Professionals Felt Worldwide

Countries around the world, including the US, the UK, Brazil, and Indonesia, are establishing cyber forces to help defend critical networks from attacks. However, there are not nearly as many qualified specialists as are needed. The governments are also facing competition from private industry for the scarce resources; private industry offers higher salaries. Most universities are not graduating high numbers of students with necessary skills, and the coursework is more theoretical than practical. Hacking contests around the country are designed to identify people who have a talent in the area, and to raise awareness of the need for talented specialists. [NBCNews] [Japan Needs 80,000 Infosec Professionals]

US – Voluntary Exec Order Cybersecurity Standards Are Baseline Expectations

US companies that do not comply with voluntary cybersecurity standards being developed under the White House Executive Order could find themselves facing liability risks. While the standards will be voluntary, organizations that do not adopt them may face negligence, shareholder, and breach of contract lawsuits if they suffer a breach. The EO standards advise organizations to identify the most valuable data and classify them. The Information Week article points out that, “There is a major difference between being ‘compliant,’ and being ‘secure'” and that securing data is not an endgame – it’s a posture. Defenses built to protect the data must be monitored. The release has been delayed because of the government shutdown. The government will take public comment on the draft standards until February 2014. [Information Week] [ComputerWorld]

BR – Brazil Plans Secure Government eMail System

The Brazilian government has given the country’s Federal Data Processing Service (Serpro) the job of creating a secure email system to protect the government’s electronic communications from being intercepted by foreign intelligence agencies. According to leaked NSA documents, various intelligence agencies have electronically spied on Brazilian citizens, government officials, and the country’s national oil company, Petrobras. [CpomputerWorld]


US – Are Providers Outside the U.S. Safer from Gov’t Intrusion?

The National Security Agency’s (NSA) harvests hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world. Each day, the NSA collects contacts from about 500,000 buddy lists and web-based e-mail accounts, the report states. Meanwhile, Solicitor General Donald Verrilli has asked Supreme Court justices not to hear the Electronic Privacy Information Center’s case asking for an immediate shutdown of NSA phone surveillance of Americans. In San Francisco, tech company BitTorrent has owned up to defacing its own billboards in order to capitalize on privacy fears following NSA revelations. And a U.S. appellate court has unsealed a set of documents pertaining to Lavabit, whose founder resisted government pressure for access to it. Ars Technica says, despite NSA revelations, foreign e-mail providers may not be any safer from government intrusion than those based in the U.S. [Washington Post]

US – NSA Attempts to Crack Tor Are (Mostly) Unsuccessful

According to leaked documents, the NSA attempted to monitor targets using Tor by exploiting vulnerabilities in Firefox. NSA and its UK counterpart, GCHQ, have been trying for some time to crack Tor. Short for The Onion Router, Tor is an online anonymization service that helps users hide their identities and their online activity by routing encrypted traffic through other computers, which are volunteered by those machines’ owners. One of the attempts to break Tor involved infecting the computers of Tor users. The report indicated that the NSA has been unsuccessful in decrypting Tor communications but had managed to “de-anonymize a very small fraction of Tor users.” [BBC] [Guardian] [Schneier] [Ars Technica]

US – Privacy Fears Grow as Cities Increase Surveillance

Increased use by local law enforcement agencies of Big Data surveillance technology are raising corresponding privacy concerns. Particularly, the city of Oakland, CA, recently received $7 million in federal funding to help fight terrorism at its major port. The money, according to the report, is being used for a police initiative including the purchase of gunshot-detection sensors in East Oakland and license plate scanners in police cars. Federal money is also supporting similar initiatives within the New York Police Department, including a system that links more than 3,000 surveillance cameras with license plate readers, radiation sensors, criminal databases and terror suspect lists. Oakland City Councillor Libby Schaaf said “it’s our responsibility to take advantage of new tools that become available,” but added that the system could “paint a pretty detailed picture of someone’s personal life, someone who may be innocent.” [The New York Times]

Telecom / TV

US – New TCPA Rules in Effect

The Federal Communications Commission’s revisions to the Telephone Consumer Protection Act (TCPA) went into effect October 15. The revisions require businesses to obtain express written consent before telemarketing and advertising through autodialed calls or text messages to consumer cellphones and prerecorded calls to residential phone lines. The revisions eliminate the exemption allowing firms to make prerecorded calls to a residential phone line if a pre-established relationship with the consumer existed. Punishment for violations of the new rules “can reach as high as $1,500 per violation (on a per call basis),” the alert states. [Covington & Burling client alert]

US Government Programs

US – TSA’s “Pre-Check” Raising Concerns

The Transportation Security Administration (TSA) Pre-Check program, which is due to formally launch this fall, “will already have the enthusiastic endorsement of frequent travelers—and an equally enthusiastic denouncement from privacy advocates.” The Pre-Check “trusted travelers” program may allow enrollees to bypass airport security lines, but it has privacy advocates pointing out that even those who pay the fee to enroll have no guarantee they’ll be included and those who are excluded may not be told why. “If you sign up, you’ll want to keep your nose clean for the rest of your life,” noted the Center for Democracy & Technology’s Gregory Nojeim, “because that’s how long the FBI will keep your fingerprints.” [The Washington Post]

US – FISC Approves NSA’s Request to Renew Phone Metadata Collection

The US Foreign Intelligence Surveillance Court has reauthorized the NSA’s phone call metadata collection program. The previous authorization order expired on October 11. News of the reauthorization was disclosed in a press release from the Office of the Director of National Intelligence. [ArsTechnica] [The Hill] [DNI Press Release]

US – Judge: Intelligence Director Withheld Docs Properly

A federal judge has ruled the director of national intelligence properly withheld documents related to how his office uses databases to fight terrorism. The Electronic Privacy Information Center filed suit in Washington, DC, after obtaining documents via a Freedom of Information Act request with the Office of the Director of National Intelligence on how the National Counterterrorism Center gets information from other federal agencies, the report states. Meanwhile, Director of the National Security Agency (NSA) Gen. Keith Alexander said the NSA must regain consumer and industry trust . In an opinion piece for Aljazeera America, Dan Froomkin opines that what’s needed is not promises from politicians but a public discussion of what privacy means in this new era. [Courthouse News Service]

US – General Alexander’s Scope of Influence Raises Concerns

NSA Director General Keith Alexander also heads the US military’s Cyber Command. Some have expressed concern about Alexander’s dual roles. The Brookings Institute’s Peter Singer said that it “blurs the lines between a military command and a national spy agency.” Alexander defends the breadth of his influence, saying, “We all operate on the same network. You create more problems by trying to separate them and have two people fighting over who’s in charge.” Jason Healey director of the Atlantic Council’s Cyber Statecraft Initiative said. “We’re allowing the same commander to tell us how bad the problem is and propose and implement solutions to fix it.” [WashPost]

US – Proposed Legislation Would Reform Foreign Intelligence Surveillance Court

Two US legislators are sponsoring a bill that would reform the Foreign Intelligence Surveillance Court (FISC). The proposed legislation is a companion bill to one introduced in the Senate earlier this year. Among its provisions are the creation of an Office of the Constitutional Advocate to argue for civil liberties during court proceedings and a requirement that the Attorney General declassify or summarize certain FISC decisions. [WashPost]

US – NSA Admits to Cellphone Location Data Gathering Pilot

The NSA has acknowledged that in 2010, it initiated a test project to collect wholesale cellphone location data on regular citizens, but ended the program in 2011 because it did not provide “operational value.” NSA director General Keith Alexander said on Wednesday, October 2, that sample cellphone location data were collected “to test the ability of [the NSA’s] system’s to handle the data format, but that data was not used for any other purpose.” Alexander had evaded answering a question about the subject last week in a hearing. Senator Ron Wyden (D-Oregon) suggested that there is still “significant information” that has not been disclosed. [WashPost] [Register]

US – More Privacy Victims of the Govt. Shutdown

Groups tasked with U.S. intelligence oversight have suffered a setback at the hands of the U.S. federal government shutdown. According to a Politico report, the five-member Review Group on Intelligence and Communications Technologies, the independent surveillance oversight board created by President Barack Obama to respond to criticisms of the National Security Agency’s activities, met with Congressional intelligence leadership on Tuesday, but member Michael Morell, former director of the CIA, declined to take part, saying it was inappropriate in light of the shutdown. Then, on Friday, the Review Group’s staff was furloughed by the Office of Director of National Intelligence James Clapper. The volunteer board is free to meet, but all travel funds, etc., are frozen. Similarly, the Privacy and Civil Liberties Oversight Board was supposed to hold a public hearing Friday on proposals for changing surveillance programs but postponed the session because witnesses were unable to appear. Roughly 70% of the intelligence community in the U.S. is currently on furlough. Meanwhile, some are questioning why the FTC, for example, has chosen to cut off all access to its website during the shutdown. [Full Story]

US Legislation

US – Citing “Failure of Oversight,” Patriot Act Author Sponsors Reform Bill

US Representative James Sensenbrenner (R-Wisconsin), who authored the original Patriot Act in the days following the September 11 attacks, is displeased with how the legislation has been used to justify the NSA’s data harvesting programs. Sensenbrenner is introducing legislation with co-sponsors Senator Patrick Leahy (D-Vermont) and Representative John Conyers (D-Michigan) to try to address concerns over how the law has been used. The USA Freedom Act restricts aspects of the Patriot Act’s controversial section 215 so it will be used more narrowly, in line with the original intent of the law. The bill also introduces changes to the FISC, including creating the position of public advocate to appeal court decisions that appear to violate the law, and allowing companies that have been served with the orders to specify the number of FISA orders and NSLs (national security letters) they have received and complied with. [WashPost]

US – White House Pursuing Online Privacy Bill

Now 18 months out from President Barack Obama’s unveiling of a proposal for a Privacy Bill of Rights, Politico reports that the White House is actively working on legislation that would “boost online privacy safeguards for consumers.” According to the report, the bill would define privacy rights, convene further multistakeholder approaches to defining standards and give the FTC authority to enforce codes of conduct. The Commerce Department is helping to draft the legislation, according to the report, and Rep. Lee Terry (R-NE), chairman of the House Energy and Commerce Subcommittee, has been approached about helping to shepherd the bill through Congress. The Internet Association, Direct Marketing Association and others are lining up to make sure their voices are heard. Urgency is lent by continuing NSA revelations, such as today’s news that the National Security Agency used a Firefox flaw to target users of the anonymous Tor network. [Full Story]

US – CalOPPA Introduces New Disclosure Requirements

On September 27, Gov. Jerry Brown signed into law California Assembly Bill 370, which amends the California Online Privacy Protection Act requiring businesses to disclose how they respond to Do-Not-Track (DNT) signals. The new law, which may effectively apply to any website or mobile app in the world, is the first to officially address the DNT mechanism endorsed by the Federal Trade Commission and debated by industry. While the disclosures required under the new law appear straightforward, they present formidable compliance challenges for covered businesses given that they mandate the implementation of standards and concepts that are not well settled in law or practice. [Full Story]

US – California Continues to Shape Privacy and Data Security Standards

With news that Gov. Jerry Brown has signed into law the first Do-Not-Track (DNT) legislation in the country, it’s clear that California is once again out in front of privacy law here in the U.S. The Hogan Lovells Privacy Team analyzes how California has led the way in the past, where the state is likely to head and what you need to know about the new DNT legislation and the way it’s likely to be implemented. [Privacy Tracker]

US – Montana Gun Owner Healthcare Privacy Law Goes Into Effect

As of October 1, healthcare providers—including psychological practitioners—are no longer allowed to ask patients about gun ownership, possession or use. HB 459, now Montana law at 50-16-108, M.C.A., aims to address gun owners’ concerns that medical records could be used to collect and centralize information about gun ownership. [Fairfield Sun Times]

US – DoJ, Oklahoma Rep. Considering Drone Regulations

A new report from the Office of the Inspector General (OIG) recommends that the Department of Justice look into creating rules for law enforcement’s use of drones. The OIG’s recommendation follows an audit of drone use by the FBI, Bureau of Alcohol, Tobacco, Firearms and Explosives, Drug Enforcement Administration and U.S. Marshals Service. Meanwhile, Oklahoma Rep. Paul Wesselhoft (R-Moore) is teaming up with the American Civil Liberties Union to come up with privacy laws surrounding the use of drones by the government. [The Verge]

US – Will Voters Support “Presumption of Harm” in Breach Cases?

Julian D. Perlman of BakerHostetler examines California’s move toward “amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer’s express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits.” Perlman writes of California Secretary of State Debra Bowen’s approval of the necessary steps to bring the Personal Privacy Protection Act to California voters, noting it “would create presumptions that an individual’s personally identifying information is confidential when collected for a commercial or governmental purpose and that individuals are harmed whenever that personal data is shared without his or her express opt-in,” bringing California closer to the EU’s data collection and sharing approach. [Mondaq]

US – Telemarketing Rules Go Into Effect this Month

The Federal Communications Commission telemarketing rules go into effect on October 16. The rules require companies to gain express consent before calling consumers with prerecorded messages or “robocalling” wireless numbers, the report states. Consent must be written and include the number and signature of the consumer. While an electronic signature is acceptable, the agreement must also state that consent is not required “as a condition of purchasing any property, goods or services.” [Privacy and Security Matters]

US – State AG: Federal Breach Law? No Way

Amidst the ongoing U.S. government shutdown, representatives from state AG offices taking part in the literarily titled panel discussion “The Widening Gyre of State AGs” at the IAPP Privacy Academy were asked whether there should be one all-encompassing federal data breach notification law. Sam Pfeifle reports on their reactions. As Vermont AG William Sorrell put it, “You’d like to have this organization, the U.S. Congress—upon which, what, eight percent of Americans look favorably—you want us to say, ‘Oh, yes, we’re going to trust that body of public servants to do what’s right for our states’ citizens?’ No way.” [The Privacy Advisor]

US – Revenge Porn Law Doesn’t Go Far Enough: Opinion

On Tuesday, Gov. Jerry Brown continued California’s trailblazing in privacy law by signing into law the country’s second “revenge porn” law (New Jersey was first), “levying possible jail time for people who post naked photos of their exes after bitter breakups.” However, writes Emily Bazelton, the bill doesn’t go far enough. “It makes it a misdemeanor offense to post revenge porn only if a prosecutor shows that the poster intended to inflict emotional distress, rather than treating the act of posting a sexual photo without consent as an objectively harmful invasion of privacy. And the punishment wouldn’t apply if the subject of the photo took the picture herself, which means it wouldn’t help people whose exes persuaded them to hand over photos as a sign of trust.” [Slate]

US – Will Voters Support “Presumption of Harm” in Breach Cases?

Julian D. Perlman of BakerHostetler examines California’s move toward “amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer’s express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits.” Perlman writes of California Secretary of State Debra Bowen’s approval of the necessary steps to bring the Personal Privacy Protection Act to California voters, noting it “would create presumptions that an individual’s personally identifying information is confidential when collected for a commercial or governmental purpose and that individuals are harmed whenever that personal data is shared without his or her express opt-in,” bringing California closer to the EU’s data collection and sharing approach.[Mondaq]

Workplace Privacy

WW – Report: Most Breaches Come From the Inside

A new report reveals that the most common cause of a data breach within an organization stems from inadvertent misuse of data by employees. Conducted by Forrester Research, the report, Understand the State of Data Security and Privacy , surveyed organizations from Canada, France, Germany, the UK and the U.S. with two or more employees. Approximately 42% of small- to medium-sized organizations surveyed had received some sort of internal data protection training. Forrester Analyst Heidi Shey, author of the report, said, “A lot of organizations haven’t invested in a dedicated privacy group or function,” and many IT departments have privacy as an extra layer, adding that, moving forward, organizations may conclude they need a dedicated privacy group. Meanwhile, startup Lookout is stepping into the bring-your-own-device arena by offering an app that bolsters smartphones against data breaches. [PC World]




16-30 September 2013


US – Homeland Security Testing Facial Recognition At Hockey Game

The Department of Homeland Security will test facial recognition software capabilities at a September 21 hockey game in the state of Washington. The Tri-Cities Toyota Center can seat 6,000 fans. Twenty specific faces will be sought by the technology, called the Biometric Optical Surveillance System (BOSS). A privacy impact assessment in 2012 found the technology was capable of capturing images of an individual from 50 to 100 meters away and can be set up to track an individual as he or she moves. Fans will be allowed to opt out and sit in an area without cameras; no names will be collected, and only government researchers will see the images, the report states. [Computerworld]

WW – Facedeals to Use Facial Recognition for Targeted On-Site Advertising

Facedeals CEO Dave McMullen says his company will soon be offering an opt-in service where consumers can select preferences ahead of time and then be offered deals via a text to their phones when cameras at establishments recognize their faces. In addressing privacy concerns, McMullen says the “double opt-in” service—the downloading of the app and then the process of registering—”ensures no one is signed up without their permission.” Further, he said privacy is already being infringed upon by every phone noting your location, camera recording your likeness and credit card transaction tracking your purchases. Why shouldn’t the consumer get something out of the deal? [MarketingLand]

US – Franken Wants Answers on Fingerprint Passwords

Sen. Al Franken (D-MN) is concerned about the fingerprint swipe password feature on Apple’s latest iPhone release. In a letter to Apple CEO Tim Cook, Franken wrote, “Passwords are secret and dynamic; fingerprints are public and permanent … If someone hacks your password, you can change it—as many times as you want. You can’t change your fingerprints.” Franken asked Cook to answer questions on how fingerprint data will be protected and with which third parties it may be shared. Meanwhile, a group of hackers in Germany say they have successfully hacked the fingerprint feature. Full Story


CA – OPC Encourages Parliament To Review PIPEDA

With a new parliamentary session scheduled to begin in October, Sébastien Gariépy, spokesman for Industry Minister James Moore, has said “he could not confirm that the amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) would be reintroduced by the Department of Industry.” An Office of the Privacy Commissioner spokesman noted, “Much has changed as the years have passed, and the commissioner believes Canadians need far stronger protections than what is being proposed with respect to data breaches. Our office would again encourage parliamentarians to proceed with a second review of PIPEDA.” [Bloomberg BNA] SEE ALSO: [Stoddart: PIPEDA “Really Doesn’t Do Anything”]

CA – Resurfacing of Photo Highlights Lack of Control

A photo of a deceased teen girl turned up in third-party dating ads on Facebook, highlighting “how little control anyone has over any image once it gets out into the Internet sphere,” says technology and law Prof. Robert Currie. “It really seems to me to be an unfortunate accident that is causing a lot of grief … But it’s just the kind of thing that is going to happen,” says Currie. The company posting the ad used an image scraper to get the image, according to its administrator. Facebook has banned the company, saying the ads are a “gross violation” of its policies. [The Canadian Press]

CA – Advertisers Offering Consumers Choice

The Digital Advertising Alliance of Canada (DAAC) has announced a program to allow consumers “to control whether they want to receive targeted advertising messages.” Canadians will soon begin to see an “Ad Choices” icon in this offshoot of a movement that began in the U.S. and later spread to Europe. The DAAC hopes to educate consumers about how they are targeted, while the Office of the Privacy Commissioner has said it is “pleased that the advertising industry is taking action on this issue … the use of online behavioural advertising has grown dramatically and we are concerned that Canadians’ privacy rights are not always being respected.” [The Globe and Mail]


US – Study: Consumers Favor Companies That Let Them Opt Out

A recent TRUSTe study has found that 62% of consumers will do more business with a company that gives them the option to opt out of online behavioral advertising. The study, which polled 1,171 U.S. Internet users, also found that 53% of consumers are more willing to click on an ad that gives them the option to opt out and that users feel more positive about the business behind an ad if the Digital Advertising Alliance’s AdChoices icon is displayed, indicating a growing awareness of the tool. [Truste Consumer Data Repoert]

US – Survey Results Indicate Companies Should Compete on Privacy

A survey shows “40% of companies use customer information collected online for targeting purposes and 88.5% of chief marketing officers (CMOs) expect this practice to increase over time.” Another report suggests data hoarding can be a drag on business , presenting dangers including potential legal issues surrounding the requirements to protect the data a company possesses. The CMO study indicates marketers “have very low levels of concern about how the use of online customer data infringes upon privacy.” Considering this in the context of a Pew survey where 86 percent of respondents indicated taking “steps to remove or mask their digital footprints,” the report suggests companies should compete on privacy. [Forbes]

WW – The Privacy Paradox for Bank Loyalty Programs

A recent survey of 6,000 individuals belonging to loyalty card programs across the U.S. queried respondents to classify certain types of targeted marketing as “cool and exciting” or “creepy and weird.” Respondents to the Maritz Loyalty Marketing survey on average enrolled in 7.4 loyalty programs, with 1.8 connected to a credit or debit card. Card program categories included retail, grocery, hotel, airline, entertainment and financial services. Respondents over the age of 50 tended to get more “creeped out” by use of their personal data than younger individuals even when special benefits were transmitted. The marketing function that received the highest “creepy” rating stemmed from reviewing Facebook posts of friends to determine rewards eligibility. [American Banker]

US – Acxiom to Create ‘Master Profiles’ Tying Offline and Online Data

Acxiom has launched a new system designed to combine consumers’ offline and online activities, which then processes the collected data using algorithms. The data is then made available to marketers for behavioral targeting and personalized ads on mobile, the web and eventually television, the report states. Acxiom Chief Technology Officer Phil Mui said, “We are making big marketing data truly actionable.” The new system is a significant shift for targeted advertising as the system—which features a new identifier to match user profiles—allows marketers to track users across devices into one profile instead of multiple profiles based on a given device. [Financial Times]


US – DOE Now Says July Breach Affected 53,000 People

The US Department of Energy (DOE) has updated information about a July data breach that compromised employees’ personally identifiable information. DOE now says that the breach affects 53,000 current and former employees, contractors, and dependents. The information compromised includes names, Social Security numbers (SSNs) and birth dates. The attacker or attackers exploited a known vulnerability in an unpatched ColdFusion system called DOEInfo. The department’s investigation indicates that the theft of the personal information “might have been the primary purpose of the attack.” DOE will notify all affected individuals within the next two weeks. [InformationWeek][DOE Cyber Incident Information]


WW – Email Surveillance Could Reveal Journalists’ Sources, Expert Claims

Creator of the email encryption software PGP, Phil Zimmermann, has told The Guardian that users of consumer e-mail services should be aware of the threat of exposing their metadata. Zimmermann says his opinions on privacy have changed drastically in the more than 20 years since he invented PGP, noting “more recently … everyone has become aware that metadata is becoming increasingly important—that the message headers mean a lot.” These risks prompted him to develop a new feature for his Silent Phone app that encrypts conversations earlier in the call process, but the report states, in spite of PGP flaws “becoming clearer with time,” he maintains that PGP is holding up just fine. ]Full Story]

US – App Maps Users’ Lives Via Inbox Scanning

An app built by a group of MIT researchers that visualizes users’ social lives by looking at their e-mail inboxes. Immersion uses timestamps and the to, from and CC fields to draw a map of the user’s social connections. It offers users a look at Big Data and the “digital exhaust they’re continually leaving behind,” said MIT’s Cesar Hidalgo, adding it’s a particularly useful perspective following revelations of NSA surveillance measures. The app does allow users to delete data upon logout. “If I am able to withdraw my money from my bank account, I should be able to withdraw my data from my e-mail provider,” Hidalgo said. [WIRED]

US – Problems Surfacing with Reassigned Yahoo Accounts

Some people who obtained reassigned Yahoo email addresses are receiving personal messages meant for the prior account holder. Some of the messages contain sensitive personal information, such as data about other accounts, emailed receipts, and appointment and travel confirmations. Earlier this year, Yahoo said it would begin reassigning email addresses and Yahoo IDs that had been inactive for more than a year. A company representative said that before reassigning the identifiers, they attempted to contact the account owners in several ways. Yahoo said they would unsubscribe the dormant accounts from newsletters and alerts and notify “merchants, ecommerce sites, financial institutions, social networks, email providers, and other online properties” that the account no longer exists before reassigning the name. [BBC] [CNET] [InformationWeek]

US – Users Sue LinkedIn Over Harvesting of E-Mail Addresses

A new lawsuit against LinkedIn has been filed by four users who claim the professional networking site accessed their e-mails without consent and used the harvested addresses of their contacts to spam non-users with invites to the service. In one claim, the suit alleges LinkedIn is “breaking into” external e-mail accounts pretending to be the user, but no details are offered. In response, LinkedIn has released a blog post refuting the claims. In separate class-action news, a Politics in Minnesota report details the mounting data protection lawsuits being filed against the government after one case resulted in more than $1 million worth of settlements from illegal government access to driver’s license records. [The New York Times ]


US – NSA Defeats Internet Encryption

According to documents leaked by Edward Snowden, the US government has spent more than US $10 billion over four years on the Consolidated Cryptologic Program. The documents also show that the NSA has used its influence to insert encryption weaknesses in currently used standards; used a variety of techniques – including hacking – to acquire cryptographic keys from various technology companies; and in some instances, broke into targeted machines to intercept messages before they were encrypted. [NYTimes] [ArsTechnica]

WW – Google Will Send All Searches Over SSL

Google is now sending all searches over secure sockets layer (SSL). Google has been using SSL to protect Google account holders’ searches since 2011. SSL encrypts connections between users’ computers and Google, which means that ISPs, Wi-Fi hotspots, and Internet cafes cannot intercept searches conducted through Google. Users’ search results will be protected, but their search terms and the fact they that they visited may not be protected. [SCMagazine]

US – RSA Warns Customers Not to Use Cryptography with NSA Backdoor

RSA Security has sent an advisory to some of its customers, urging them to stop using a cryptographic component that has been revealed to contain an NSA backdoor. Two of the company’s products, the BSAFE toolkit and Data Protection Manager, use the specification, known as Dual EC_DRBG, by default. RSA recommends that customers using the affected products switch to a different pseudo random number generator (PRNG). [ArsTechnica]

EU Developments

EU – Reports Call for EU Cloud, Student Data Protection

A report commissioned by the European Parliament that suggests the EU-U.S. Safe Harbor Framework does not protect against U.S. interception of European citizen data processed in the cloud and “urges the European Union to encourage development of local cloud computing capacity based on open source software as a way of safeguarding against U.S. intelligence community surveillance.” Meanwhile, a report, “shows broad support for safeguarding especially vulnerable cloud user populations in public organizations, such as schoolchildren, civil servants and healthcare professionals and their patients, who are at risk of being tracked and profiled for online advertising purposes.” A U.S. lobbying group is proposing a code of conduct to prohibit “user profiling and data mining by cloud services used by European schools.” [Fierce Government IT]

EU – MEPS: Stop TFTP Agreement in Its Tracks

European politicians have demanded that a broad data-sharing agreement between the U.S. and EU be suspended. The demands to halt the Terrorist Finance Tracking Program (TFTP) at a recent hearing of the Civil Liberties Committee follow allegations that the U.S. National Security Agency illegally tapped banking data, the report states. “We have no evidence that they have actually been doing this, but they don’t deny it either. So in a way it is irrelevant whether they have used the opportunity so far, because they will continue to reserve that right in the future,” said Dutch MEP Sophie in’t Veld, adding she considers the agreement to be “effectively dead.” [PCWorld]

EU – MEPs Hear US Privacy Experts, Whistleblowers And Snowden Statement

At the fourth hearing of the Civil Liberties Committee inquiry into U.S. and EU countries surveillance of EU citizens, MEPs discussed the possibility of suspending EU-U.S. trade talks, creating international standards and the need for parliamentary oversight of surveillance activities. In a statement read aloud, whistleblower Edward Snowden said “the surveillance of whole populations … threatens to be the greatest human rights challenge of our time.” A former Microsoft executive has said he no longer carries a cellphone and only uses open-source software if he can check the underlying code. Meanwhile, at an event this week, U.S. Supreme Court Justice Antonin Scalia reportedly suggested the Fourth Amendment protects personal items, “not privacy, per se.” Meanwhile, a former NSA contractor and graphic designer has created four fonts that he claims cannot be analyzed by systems used to monitor online communications. [EuroParl]

EU – Lawmakers Accused of Rushing EU Data Protection Law

“Industrialists and diplomats have accused MEPs of rushing through data protection laws that they say would boost their electoral chances more than Europe’s economies.” At an event in Brussels, policymakers and industry representatives clashed over the EU draft regulation’s timeline, the report states, citing comments by the European Commission’s Paul Nemitz indicating companies that value their customers’ needs will not have issues with the new rules. “If you are operating cross-borders, your life is likely to become easier. Why? Because in the future, we’ll have one law in form of a regulation rather than 28 implementing laws based on a directive and we will have a consistency mechanism,” Nemitz said. [EurActiv]

EU – Dutch IT Trade Org Objects to Proposed Breach Notification Legislation

A trade organization representing IT companies in the Netherlands is objecting a proposed law in that country requiring technology companies to report security breaches. Nederland ICT says that Dutch companies are already required to report breaches to several organizations and that the new legislation would just create more administrative work. The draft legislation affects select industries that are part of the country’s critical infrastructure and aims to clarify notification requirements for those companies that experience breaches. The government says the bill intends that only severe breaches must be reported, but Nederland ICT says that if the bill becomes law, companies are likely to start reporting all breaches. [ZDNet]

EU – MPs Give Data Harvesters “Green Light”

Members of Parliament are giving companies that harvest personal data from Internet-connected devices “the green light … prompting disquiet over Parliament’s commitment to protecting consumer rights.” The House of Commons Culture, Media and Sport Committee noted in a report, “Increasing use is being made of personal data to target online advertising better … While concerns around this have prompted reviews of data protection legislation, we do not think the targeting of appropriate advertising—essential to so many business models—represents the greatest threat to privacy.” Consumer and privacy advocates caution, however, that consumers are losing control of their data, the report states. [Full Story]

EU – Google and Facebook Face Tougher EU Tax and Privacy Rules

France is pushing for the EU to adopt proposals that would see technology companies such as Google and Facebook regulated and taxed where customers use their websites. The proposals “could put Europe at loggerheads with the U.S., which has previously reacted angrily at attempts to impose greater regulation on the Internet.” Fleur Pellerin, France’s digital economy minister, said the campaign does not target American companies—though they are the ones on top, currently—but aims to “boost the ability of European actors to develop in Europe and gain positions that can compete on the same level playing field as the other international actors.” [Financial Times]


US – NSA Program Monitors Credit Card Transactions

The U.S. National Security Agency’s (NSA) “Dishfire” program collects information on credit card transactions from 70 banks worldwide. The NSA targets transaction information from large credit card companies such as VISA and MasterCard on customers in Europe, the Middle East and Africa, the report states, adding that credit card data and related text messages made up 84% of NSA financial database Tracfin in September 2011. [Der Spiegel]

US – CFPB Guidance: Fraud Reporting Won’t Breach GLBA

The Consumer Financial Protection Bureau (CFPB) has issued new guidance informing banks it’s their responsibility to report instances of suspected fraud of senior citizens and, according to the CFPB, reporting such exploits will not contravene the Gramm-Leach-Bliley Act. Bank tellers and other financial employees “can be instrumental in reporting such fraud,” said CFPB Director Richard Cordray, because they are familiar with the customers who may be exploited, The Wall Street Journal reports. [Source]


WW – Tech Giants Ask 21 Countries to Release Surveillance Data

Privacy advocates, human rights groups and tech companies are asking 21 countries to release information on their surveillance requests. The Global Network Initiative includes such companies as Facebook, Google and Microsoft and said in letters to the members of the Freedom Online Coalition—a group of 21 countries working together to advance Internet freedom—that governments should release the data and allow the tech companies asked to respond to such requests to do the same. [The Hill]

US – Microsoft Releases Data on Government Requests for Information

Microsoft’s most recent Law Enforcement Requests Report details the number of requests for information it received from governments worldwide in the first half of 2013. Based on that number – 37,196 – Microsoft looks to be on track to receive roughly the same number of requests it did in 2012, when it received just over 75,000 requests. The report breaks down the requests by country, and indicates the company’s response to the requests. Microsoft provided non-content user data for 77 percent of the requests, while it provided customer content for 817, or 2.2 percent, of requests. The US government made 7,014 requests affecting 18,809 accounts. The report does not provide information about US national security requests. [ComputerWorld] [ZDNet] []


US – NIH Seeks Comments on GDS

The National Institutes of Health (NIH) is calling for comments following the publication of its draft Genomic Data Sharing (GDS) policy. The GDS, which applies to all NIH-funded research, “details the need to strip all data of names, Social Security numbers and other identifiers before uploading,” the report states, noting de-identified data is then required to be coded at random to protect privacy. “All data is subject to NIH’s desire for widespread sharing,” according to the report. [FierceBioTechIT]


EU – French Data Protection Agency May Fine Google for Privacy Violations

France’s data protection agency, CNIL, plans to fine Google for failing to comply with that country’s privacy requirements. Google was warned of the fines in June; the company was given three months to amend its privacy policy to clarify its collection and use of user data. The issue centered on Google’s decision to combine 60 services under a unified policy that allows the company to merge data from its different products, such as Gmail, YouTube, and Google+. The concern is that some users may not want their data connected in this way. Google maintains that its current privacy policy respects EU privacy laws. [WashingtonPost] [ComputerWorld] [CNET]

US – Google’s eMail Scanning May Violate Wiretap Law

A US federal judge in California has ruled that a lawsuit brought against Google for violating US wiretap law may move forward. The lawsuit alleges that Google violates the law when it scans email messages. Google maintains that it scans all emails that pass through its servers to check for spam as well as to create user profiles and provide targeted advertising. Google was seeking to have the lawsuit dismissed under a portion of the wiretap law that allows email providers to intercept messages if the action helps the message get delivered or is incidental to the efficient functioning of service. US District Judge Lucy Koh wrote in her decision, “the statutory scheme suggests that Congress did not intend to allow electronic communication service providers unlimited leeway to engage in any interception that would benefit their business models.” [Washington Post] [WIRED]

Health / Medical

US – Obama to Reinforce Privacy in Affordable Healthcare Act

The Obama administration is seeking to bolster privacy protections for Americans signing up for the federally mandated Affordable Healthcare Act. To help stem identity theft, personal privacy protection and fraud, the administration plans to launch a toll-free telephone number to report fraud incidents and an online verification system. Attorney General Eric Holder met with Department of Health and Human Services Secretary Kathleen Sebelius and FTC Chairwoman Edith Ramirez to discuss the privacy and security implications of the impending law. Concern has also been expressed about counselors—also called navigators—who are set to educate and help Americans enroll in the health exchanges. A House Committee report stated, “There are already reports from across the country that scam artists are attempting to impersonate navigators and assisters to steal credit card information and personally identifiable information in order to take advantage of massive confusion about Obamacare.” [Reuters]

US – Data Privacy Tests Needed, GOP Lawmakers Say

House and Senate Republicans have introduced legislation that would delay enrollment in the healthcare exchanges under the Affordable Healthcare Act until it is confirmed that robust data protection standards are in place. Sen. Orrin Hatch (R-UT), a sponsor of the Trust But Verify Act, says the Government Accountability Office must verify that data privacy safeguards are in place. “It would simply be irresponsible to open the exchanges without adequate safeguards to protect and secure consumers’ personal information,” Hatch said, adding, “While the administration claims that these safeguards exist, there is simply no way to verify these claims absent an independent review.” [The Hill]

US – Grace Period Ends for Updated HIPAA Rule Compliance

As of September 23, 2013, US organizations that handle protected health information must abide by updated Health Insurance Portability and Accountability Act (HIPAA) rules. The changes were established in 2009 and took effect in March 2013, but organizations were given a six-month grace period that ended this week. Among the new rules are a requirement that business associates of organizations covered by HIPAA must be in compliance with the rules’ security and privacy measures, and new restrictions on covered entities’ marketing and sale of personal health information. [SC Magazine]

US – HHS Releases Model HIPAA Privacy Notices

The Office for Civil Rights, in collaboration with the National Coordinator for Health Information Technology, has released three model privacy notices to help providers comply with the Health Insurance Portability and Accountability Act (HIPAA), according to a U.S. Department of Health and Human Services press release. The three new notice of privacy practice models were constructed out of input from “consumers and key stakeholders” and include the recent changes in the HIPAA Omnibus Rule. The three options include notice in the form of a booklet, a layered notice and a text-only version. [HHS]

US – HHS Launches Meaningful Consent Site for Providers

The Department of Health and Human Services (HHS) has launched an online resource to help healthcare providers “effectively engage patients” in choosing how they want their electronic health information shared. The site provides strategies and tools to help educate patients. “As patients become more engaged in their healthcare, it’s vitally important that they understand more about various aspects of their choices when it relates to sharing their health in the electronic health exchange environment,” said the chief privacy officer of the HHS Office of the National Coordinator for Health Information Technology. [HHS]

US – Omnibus Rule Kicks In, Four Compliance Steps for BAs

In light of the implementation date of the HIPAA Final Rule on Privacy and Security, there are four steps that business associates (BAs) need to take to comply with the update. For covered entities, the effects “are mostly incremental because the compliance structure remains unchanged,” but for BAs, the change “raises the risks of noncompliance to a new level because, for the first time, they face many of the same compliance requirements as their covered entities,” making them subject to government fines and civil penalties, the report states. Meanwhile, a new study reveals there is increasing confidence in cloud technology among healthcare policy decision-makers. [Government Health IT]

US – OCR’s Rodriguez Says Increased Enforcement Ahead

The Office for Civil Rights Director Leon Rodriguez said there will be increased enforcement of HIPAA regulations, highlighted the importance of appropriately protecting patient privacy and discussed the “what-not-to-dos” regarding healthcare privacy. “Today is a critical day for the Omnibus,” Rodriguez said. “On the one hand, you have to have assertive enforcement; you have to have credible enforcement, that really does play a critical role in obtaining compliance,” he noted, adding, “But at the same time, you have to set rules of the road that are understandable and consistent, and you really need to make sure people know what the rules of the road are.” [Government Health IT]

US – US Food and Drug Administration to Regulate Some Medical Apps

The US Food and Drug Administration (FDA) will impose the same regulations on certain mobile medical apps as it does on medical devices. The apps affected are those that perform the same functions as medical devices, like blood pressure monitors. According to the FDA, “If a mobile app is intended for use in performing a medical device function [such as diagnosis, cure, mitigation, treatment, or prevention], it is a medical device, regardless of the platform on which it is run.” Apps that log and track trends would not be subject to regulatory oversight. [NextGov] [FDA Document on Mobile Medical Applications]

US – DEA Cites Third Party Doctrine With Prescription Data Case

An argument submitted by the Drug Enforcement Agency (DEA) in response to an American Civil Liberties Union (ACLU) lawsuit over the privacy of certain medical records. According to the DEA, citizens who share medical records with pharmacies—or any other third party—have “no expectation of privacy” regarding that data. According to a blog post, ACLU Attorney Nathan Wessler wrote, “Just because we trust our doctors and pharmacists with our medical information, doesn’t mean the DEA should be able to easily access it too.” [The Verge]

US – Sensor Network to Track Seniors Launched

A new product designed to track the activity of seniors living on their own. The system, created by Lively, consists of various sensors strategically placed around a home that report movements—such as refrigerator or medicine cabinet doors being opened—to a base station connected to an app. The system aims to let concerned guardians know if individuals are taking their medicine and moving around the house. “This is not ‘Big Brother’ monitoring,” said one of the company’s founders, adding, “Lively’s passive sensing tracks just enough information to interpret meaningful activity that shows how you’re doing without sharing too much.” [TechCrunch]

Horror Stories

US – Underground Identity Theft Site Hacked Data Aggregators

An underground website that trades in identity theft data reportedly gathers information by breaking into computers at major US data aggregators. The site, SSNDOB, sells Social Security numbers (SSNs), birthdates, and other personal data. Network analysis showed that SSNDOB administrators were also operating a botnet that had infiltrated servers at LexisNexis, Dun & Bradstreet, and Kroll Background America. [Krebs] [The Register]

WW – Data Broker Hackers Also Compromised NW3C

Yahoo is facing claims its decision to recycle accounts that had been inactive for a year or more has resulted in individuals receiving e-mails intended for the previous owners. An Ohio psychologist is notifying clients of a burglary where “the thieves may have intended on stealing patients’ personal data when they stole the office’s entire computer supply.” Patients at a Canadian health region are also receiving letters after an employee accessed “patients’ personal health information between 2009 and 2012, considered a breach under the Health Information Protection Act.” Meanwhile, the “miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data” from the U.S. National White Collar Crime Center. Amidst all these reports, InformationWeek offers tips on the “lessons learned”  from data breach incidents. [Krebs on Security]

Identity Issues

US – NIST Awards Grants for Development of Trusted Identity Systems

The US National Institute of Standards and Technology (NIST) has awarded more than US $7 million in grants to five organizations to develop systems for online identity protection and verification. The grants are part of the National Strategy for Trusted Identities in Cyberspace (NSTIC). [Information Week]

AU – Australia Bar-Scanning Bill Raises Red Flags

An Australian bill is being considered that would require patrons of venues in Sydney’s Kings Cross to have their identity scanned and stored to monitor and enforce entrance bans on individuals who have committed serious crimes. The legislation would enforce ID scanning at 35 “high risk” venues and would collect names, dates of birth, addresses and photographs. Australia Privacy Foundation’s Roger Clarke said, “The measure doesn’t only affect the targeted individuals, it represents a serious imposition on all patrons of the venues that the government brings within its scope.” [The Guardian]

Intellectual Property

US – Copyright Attorney Suing Record Label Over Automated Takedown Notice

Harvard Law School professor Lawrence Lessig is suing an Australian record label that attempted him to sue him for copyright infringement. The matter involves a lecture given by Lessig that is available on YouTube. The lecture is in fact about the need for copyright law to be adjusted for the Internet. In the lecture, Lessig uses a clip from a song to which the Australian record label holds the rights. However, the company backed down after Lessig invoked the fair use legal doctrine. Lessig then sued the company for initiating a bad-faith lawsuit. Lessig filed the suit because he believes music labels should stop depending on automated systems to detect possible infringements and send takedown notices. []

EU – Spain Approves More Stringent Anti-Piracy Law

Spanish Legislators have approved new anti-piracy laws that punish even those who link to pirated content for either “direct or indirect profit.” People found guilty of piracy could face up to six years in prison for aggravated circumstances. [ArsTechnica]

US – MPAA, RIAA Help Draft Anti-Piracy Curriculum for Use in California Schools

The Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and several major US ISPs plan to pilot an anti-piracy program in California’s elementary schools. The curricula, which are adapted for each age level from kindergarten through sixth grade, were created by the California School Library Association and the Internet Keep Safe Coalition working with the Center for Copyright Infringement, which counts executives from MPAA, RIAA, and several large telecommunications forms among its board members. A draft of the program suggests that using other people’s works without permission is worse than copying someone’s answers on a test. Those helping to develop the curriculum stress that it is still in draft form. [WIRED]

US – MPAA Says Search Engines Should Do More to Prevent Piracy

The Motion Picture Association of America (MPAA) has released a report indicating that search engines need to make a more concerted effort to help fight piracy. The report comes just as the Commerce Department is considering ways to help private sector companies fight piracy. The MPAA’s report said that Google’s recent changes to its search algorithm have not had an effect on piracy. [WIRED] [LATimes] [Politico] [MPAA]

US – Netflix Monitors Piracy Sites to Determine Content to Buy

Netflix acknowledged that it tracks activity on known piracy websites to help it decide which movies and television programs to purchase for its online streaming service. Some others in the industry have noted that there can be an up side to piracy. According to the creator of “Breaking Bad,” piracy helped keep the show alive. Initial broadcasts of the show garnered few viewers, but once circulated through piracy, the show gained a following. A Time Warner executive suggested that the same is true of the “Game of Thrones” series. [BBC]

US – AT&T Issues Piracy Warning to Customers

AT&T is warning its customers that if they are found to be engaging in Internet piracy, their Internet access could be severed. The warning, which came in the form of a letter, is part of the company’s implementation of the so-called “six strikes” anti-piracy policy. The letter says the illegal activity “could result in mitigation measures including limitation of Internet access or even suspension or termination.” Several years ago, AT&T reportedly said it would terminate users’ accounts only upon receipt of a court order. [ArsTechnica]

Internet / WWW

WW – Is This the End? DAA Withdraws from W3C Process

In a letter sent to Jeff Jaffe, CEO of the World Wide Web Consortium, the Digital Advertising Alliance (DAA) announced that it is withdrawing “from future participation in the World Wide Web Consortium (W3C) Tracking Protection Working Group (TPWG). After more than two years of good-faith effort and having contributed significant resources, the DAA no longer believes that the TPWG is capable of fostering the development of a workable ‘Do-Not-Track’ (DNT) solution.” Instead, the DAA says it is convening its own DNT process, beginning almost immediately, for evaluating “how browser-based signals can be used meaningfully to address consumer privacy.” That process “will be a more practical use of our resources than to continue to participate at the W3C,” wrote DAA Executive Director Lou Mastria. In this exclusive for The Privacy Advisor, we look at what’s next for the DAA, how the DNT process fell apart and whether legislators and the Federal Trade Commission are about to get involved.  [Full Story]

WW – W3C Not Ready to Give Up the Ghost

The World Wide Web Consortium (W3C) has announced the appointment of two new chairs for its Tracking Protection Working Group (TPWG). Carl Cargill, a director at Adobe, and Justin Brookman, from the Center for Democracy & Technology, will join incumbent Matthias Schunter, principal at Intel. This exclusive for The Privacy Advisor explores the new priorities for the W3C’s TPWG and insight from Brookman on what’s next for the multi-stakeholder process. [Full Story]

WW – With DNT, What Next for Policymakers?

In what can be perceived as a rollercoaster week for the World Wide Web Consortium’s Do Not Track (DNT) working group, IAPP VP of Research and Education Omer Tene asks if the appointment of the Center for Democracy & Technology’s Justin Brookman and Adobe’s Carl Cargill can save the process. “Hopefully, all sides will work together to pursue an agreed-upon solution, since an implosion of the process, which seemed inevitable on Tuesday as the Digital Advertising Alliance announced its departure from the group, would cast a long shadow over the prospects for multi-stakeholder resolutions to the burning privacy problems of our time,” he writes. In this post for Privacy Perspectives, Tene explores what’s next for DNT and the policymakers working on such a resolution. [Full Story]]

WW – Study: Whois System’s Privacy Controls Being Abused

A new study commissioned by the Internet Corporation for Assigned Names and Numbers (ICANN) indicates the Whois system’s current ad hoc privacy controls are being abused. ICANN—a pseudo-directory of contact details for domain names—is recommending the Whois system be replaced to include authenticated access. Currently, contact details for administrators of a domain are publicly available, prompting domain name owners to provide false information. [ZDNet]

Law Enforcement

CA – Police Pledge Adherence to Privacy Guidelines

Hamilton police have agreed to follow Ontario’s privacy guidelines for the use of video surveillance. The newspaper had previously revealed the police department’s video surveillance program appeared to be “violating provincial guidelines designed to protect the public’s privacy, and this had been the situation for years,” the report states. Deputy Chief Ken Leendertse announced new policies to comply with the provincial guidelines and promised an annual report reviewing the program “and its effectiveness according to the privacy commissioner’s ‘Section 4’ criteria, which deal with demonstrating an ongoing need for surveillance and proving the effectiveness of the tool,” the report states. [The Spectator]


WW – Usage-Based Car Insurance Raises Privacy Concerns

A new study out of the University of Denver reveals that pay-as-you-drive insurance plans may pose a potential privacy risk for drivers. Though insurance companies do not collect location data with these plans, the research found that driving habits, including speed, braking and acceleration, mileage and time of travel have the potential to reveal a detailed portrait of a driver’s movement within a specific time period. According to the research paper, “Customer privacy expectations in non-tracking telematics applications need to be reset, and new policies need to be implemented to inform customers of possible risk.” [Source]

US – New Offline Tracking Methods Come to Airports

Recent reports have detailed retailer tracking of shoppers via smartphones and other mobile devices, but the practice has extended to some airports, according to Covington & Burling Partner Nigel Howard in a recent post for InsidePrivacy. The offline tracking systems aim to follow passenger patterns, detail real-time movement of travelers and track retail behavior by using a unique identifier system. Though these systems provide several benefits, Howard writes, “they also raise privacy issues that might not fit neatly into the notice-and-choice framework that—notwithstanding the FTC’s recent efforts—still is the predominant model of privacy protection in the U.S.” [InsidePrivacy]

US – Apple Wants Class-Action Status Denied

Apple says iPhone users suing the company for allegedly allowing app developers to access personal information shouldn’t be able to proceed with a class-action lawsuit. In the case, consumers claim Apple misled them by sharing their devices’ unique identifiers with app developers after promising to protect their personal information. But Apple says consumers haven’t presented “a shred of evidence that even a single app transmitted ‘personal information.’” The company is asking U.S. District Court Judge Lucy Koh to reject the plaintiffs’ request for class-action status. [MediaPost News]

Online Privacy

WW – Google May Ditch ‘Cookies’ As Online Ad Tracker

There are rumours of a potential move by Google to replace third-party cookies with a new anonymous identifier (AdID) that would allow advertisers to track Internet browsing activity for marketing. The AdID would be communicated to online advertisers and ad networks that have aligned with agreed-upon guidelines in the attempt to give consumers more privacy and control as they browse the Internet. Though the program has not been officially announced by Google, a spokesman said, “Technological advancements can improve users’ security while ensuring the web remains economically viable. We and others have a number of concepts in this area, but they’re all at very early stages.” According to the report, Google plans to reach out to industry, government agencies and consumer groups in the near future. [USA TODAY]

US – Industry Reacts to Google Cookie Alternative

The ad industry is reacting to an unofficial proposal by Google to replace cookies with an anonymous identifier (AdID) system. Advertising executives, ad technology firms and analysts say that changing how consumers are tracked online would significantly affect the $120 billion industry. Interactive Advertising Bureau President Randall Rothenberg said, “This would be anticompetitive and potentially negatively impact all other online publishers.” Financial Times has published a Q&A to explore the proposed cookie alternative, and AdAge has posted a video with some industry reaction. Independent researcher Ashkan Soltani has posted a blog answering some questions on the AdID proposal. [Wall Street Journal]

US – Facebook Hires Privacy Pro as New Deputy Counsel

Facebook has hired Ashlie Beringer, a partner at California firm Gibson Dunn and co-chair of the law firm’s information technology and data privacy practice group, as the company’s new deputy counsel. Beringer will report to Facebook General Counsel Colin Stretch, “who was promoted from deputy to take the social network’s top legal job in June after long-running GC Ted Ullyot left the company.” Beringer will run Facebook’s legal department’s litigation, regulatory and product groups. She will begin at Facebook November 18. [TechCrunch]

US – Court Says Facebook “Like” Is Protected

The Fourth U.S. Circuit Court of Appeals has ruled in favor of a former Virginia deputy sheriff who said he was fired for “liking” the Facebook page of a man running for his boss’s position. Chief Judge William Traxler, Jr., said in the ruling, “On the most basic level, clicking on the ‘like’ button literally causes to be published the statement that the user ‘likes’ something, which is in itself a substantive statement.” However, the report cautions, “The decision may not protect social networkers who press the ‘Like’ button with abandon” as the First Amendment “primarily protects individuals from government action,” one expert notes. [MarketWatch]

US – Tumblr Inks Deal With Analytics Biz

Tumblr has signed a deal with analytics company DataSift, a move that could give advertisers more knowledge of what is posted on the site and boost Tumblr’s advertising sales. DataSift will have access to all of Tumblr’s real-time and historical data. DataSift currently has similar deals with Twitter and Facebook. Meanwhile, a report suggests that Google may have access to the WiFi passwords of every Android user, and, “Considering how many Android devices there are, it is likely that Google can access most WiFi passwords worldwide.” [TechCrunch]

Other Jurisdictions

AU – New Australian Privacy Principle Guidelines Released for Comment

The second stage of Australian Privacy Principle (APP) guidelines have been released for public comment. APPs one through five were published in August, and this next set addresses “new requirements for agencies in how they use or disclose personal information, undertake direct marketing activities and send data off-shore,” according to Privacy Commissioner Timothy Pilgrim. Noting specific concerns related to APP 8, Pilgrim said, “These new requirements provide a compelling business case for organisations to protect their business when planning to send personal information overseas.” The Office of the Australian Information Commissioner will accept submissions until 21 October. [ComputerWorld]

AU – Commissioner To Release Mobile Guidelines

Australian Privacy Commissioner Timothy Pilgrim plans to release new mobile privacy guidelines for app developers next week, and the guidelines will focus on third-party data sharing. Pilgrim has been consulting with industry and advocacy groups since draft guidelines were released last April. Pilgrim noted that app developers can expect more scrutiny of app industry privacy practices from regulators and the marketplace itself, the report states. The new guidelines are expected to be released next Monday. [IT News Australia]

SG – New Data Protection Guidelines for Singapore

Singapore’s Personal Data Protection Commission has issued new data protection guidelines for businesses operating in the country. Failure by consumers to opt out can signal consent to process data in certain circumstances, according to the new 18-page guidance note. The guidelines have been published to complement the Personal Data Protection Act—introduced in January and which goes into effect next July. One technology law expert said, “With the issuance of these advisory guidelines, the whistle has blown for organizations to kick off their compliance programs if they have not done so.” [Out-Law]

SA – South African President to Sign Data Protection Bill

The Protection of Personal Information Bill has recently passed in Parliament and will soon be signed into law by the president, report attorneys for Edward Nathan Sonnenbergs. The bill brings South Africa in line with international data protection laws, the report states, granting citizens the right to privacy when it comes to organizations collecting and processing their personal information by mandating compliance with eight conditions, including accountability, purpose specification and security safeguards. [Mondaq]

US – Experian Buys Fraud Detection Firm for $324 Million

Experian will acquire U.S.-based fraud detection group The 41st Parameter for $324 million. Experian noted it will increase its presence in the fraud prevention arena and bolster its current work in fraud detection and online authentication. [Reuters]

Privacy (US)

US – FTC Reaches Settlement With Company Over Unsecure Webcams

The FTC has reached a settlement with a company whose webcams lack adequate security. Trendnet cameras contain vulnerabilities that allow anyone online to view the devices’ feeds. Under the terms of the settlement, Trendnet may not refer to the cameras as “secure” in marketing materials. Trendnet must notify customers of the security issue, provide help to make the devices more secure, and undergo third-party security audits every two years through 2033. (The incident reported last month in which a stranger hurled obscenities at a Texas couple and their toddler through the webcam they were using as a child monitor involves a device from a different company.) [CNN] [The Register] [BBC] [Washington Post]

US – FTC’s Jessica Rich Lays Out Ambitious Ad Enforcement Agenda

FTC Director of Consumer Protection Jessica Rich remarks to the advertising community in New York City. “The FTC has long had a focus on national advertising,” she said. “We’re by no means finished.” Specifically, Rich noted the agency will step up enforcement in the digital arena, including mobile advertising disclosures. “This will be an area of increased law enforcement in the coming year,” she said. In addition to the “numerous privacy concerns” in the Big Data sphere, Rich said, “The NSA and Snowden incidents have done a lot to raise awareness about the collection of consumer data,” adding, “Consumers should be able to expect basic privacy and security protections.” [AdWeek]

US – FTC Files Complaint Against LabMD for Alleged Data Exposure

The US FTC has filed a complaint against a medical testing laboratory for allegedly exposing the data of more than 9,000 individuals. The complaint alleges that LabMD put the data at risk of theft in two separate incidents. In 2009, patient data were reportedly available on peer-to-peer (P2P) file sharing networks. In 2012, California police found identity thieves had documents from LabMD that contained personal information of more at least 500 patients. [SCMagazine][ArsTechnica] [FTC Press Release] [FTC Complaint Links] See also: [LabMD CEO Fights FTC Complaint, Asks for Standards]

US – GSA Offers Electronic Privacy Refresher

The General Services Administration Center for Excellence in Digital Government has released a memorandum on agencies’ use of social media and the dangers of posting content that contains personally identifiable information (PII). A specialist with the center, Tim Lowden, reminds agencies that they are required by Section 208 of the E-Government Act to conduct privacy impact assessments “when developing or before acquiring or using third-party sites or applications that collect PII.” Meanwhile, a Forbes report examines a recent high-profile case involving social media to question what the right balance is when it comes to protecting privacy while “promoting accountability” online. [FierceGovtIT]

US – Lawsuit Targets JPMorgan Chase & Co. Over Privacy Issues

JPMorgan Chase & Co. is facing a proposed class-action lawsuit accusing it of printing Social Security numbers on the outside of forms mailed to customers telling them of the bank’s efforts to protect their private data. The suit was filed last week in federal court in Chicago, IL, and alleges the bank put customers at risk for identity theft. “Chase even says on its website that providing Social Security numbers to an identity thief is ‘as good as gold,’” said the lawyer who filed the suit. It’s unknown how many customers were affected. [Reuters]

US – Survey: Orgs Lacking Comprehensive Privacy Programs

A new survey by Gartner has found the “perceived level of maturity attached to organizations’ privacy activities has decreased since 2011.”. While 43% of organizations have a comprehensive privacy management program in place, more than a third of organizations “still ‘consider privacy aspects in an ad hoc fashion,’” the survey found. And while 90% of organizations do have at least one person responsible for privacy, only 66% have a defined privacy officer role. [CIOOnline]

US – New Online Media Privacy Opinion Issued

According to a recent federal court opinion, “news organizations may be more liable in privacy lawsuits if their reporting is factually incorrect.” The opinion centers on how one gossip website used the plaintiff’s modeling pictures to allegedly publish a false story on the plaintiff, stating the model was a sister of a known celebrity. Senior District Judge Denis R. Hurley filed the opinion in Edme v Internet Brands, Inc. et al and denied a motion to dismiss in the case. Hurley noted that, although the published story “can be considered, for better or worse, a matter of public interest merely because its subject matter involved a celebrity,” the media website in the case reported an “undisputedly false” claim that the plaintiff was a sister of the celebrity, thus losing its newsworthiness. [Inside Privacy]

Privacy Enhancing Technologies (PETs)

WW – Patent-Approved Personalized TV Keeps Privacy in Mind

FourthWall Media has received the go-ahead from the U.S. Patent Office for its broadband device personalization technology. The technology analyzes consumer behaviors but addresses privacy concerns by storing viewers’ profile data only on the consumer’s own television or mobile device, the report states, where it can be used to indicate to targeted advertising technology which ad to run or what content would be preferred. [Rapid TV News]

WW – Box Aims for NSA-Resistant Cloud Security; Customers Hold the Keys

File-sharing service Box is working on a cloud storage solution that would put the encryption keys into the hands of its customers instead of the company. Box cofounder and CEO Aaron Levie said the current architecture of the company resembles that of Google or Microsoft “in that we are encrypting all the data on both transit and storage, but we obviously have to manage the encryption key because as a collaborative application we have to broker that exchange between multiple users.” Yet, with some forecasting a $180 billion loss in U.S.-based IT businesses in the wake of the NSA disclosures, the move to provide an “NSA-resistant” service is alluring. Levie said the company is “exploring ways that in the future our customer would be responsible for its keys, and that’s something we may make available to some of the largest organizations.” In other cloud computing news, Sweden’s data protection authority has ordered a Stockholm-based municipality to cease using Google Apps because it may contravene Sweden’s Data Protection Act. [Ars Technica]


US – US Senate Expands Data Privacy Investigation

Sen. Jay Rockefeller (D-WV) has announced he is expanding his investigation of the data broker industry after several companies refused to disclose specific details about their business practices around the collection and processing of consumers’ personal information. Expanding beyond the nine original data broker businesses, Rockefeller said he will investigate 12 additional health, personal finance and family-focused websites. To this point, the Senate investigation has found that data brokers categorize and market consumer dossiers into groups, and in some cases, the categories included names such as “Rural and Barely Making It” and “Ethnic Second City Strugglers.” Rockefeller said, “Regardless of whether such characteristics are positive, negative or erroneous, the process of determining these characterizations is not transparent to the consumer and is beyond the consumer’s control.” [Financial Times]


US – Report Says it’s Too Soon to Professionalize Cybersecurity

According to a recent report from the National Research Council of the National Academy of Sciences, it is too soon to introduce professionalization standards into the discipline of cybersecurity. According to a member of the committee that produced the report, professionalization may improve the quality of the people entering the profession, but it also prevents others from entering. The report, which was commissioned by the Department of Homeland Security (DHS), observes that because jobs in the discipline of cybersecurity are so diverse, professionalization requires careful analysis and must consider the particulars of each job. Professionalization should move forward when these two criteria are met: stable knowledge and skills requirements, and credible evidence of deficiencies in the workforce’s skills. [NextGov]


US – Judge Says Government Must Declassify More NSA Documents

The Electronic Frontier Foundation (EFF) has announced that a federal judge has ordered the US government to declassify additional NSA-related documents by December 20, 2013. The ruling was made in a lawsuit, Jewel v. NSA, which was initiated in 2008. [ArsTechnica] []

US – NSA Targets Internet Routers and Switches

According to information in documents leaked by Edward Snowden, while the NSA will target individual personal computers when necessary, the agency concentrates its efforts on Internet routers and switches. Routers are attractive targets because “people are … horrible about updating their network gear because it is too critical, and usually they don’t have redundancy to be able to do it properly,” according to Beyond Trust CTO Marc Maiffret. [WIRED]

US – FISA Court Orders Patriot Act Opinions Declassified

The US Foreign Intelligence Surveillance Court (FISC) says it will release some of the legal opinions justifying the government’s wholesale collection of phone data. The FISC has ordered the US government to start declassifying some of its opinions regarding the Patriot Act. The documents will be revealed as a result of a lawsuit brought by the ACLU. [ArsTechnica] [WIRED] [ComputerWorld] [FISC Order]

US – NSA Director Defends Data Gathering Practices to Legislators

NSA Director General Keith Alexander told US legislators that the Foreign Intelligence Surveillance Court (FISC) has not placed an upper limit on the number of phone records the NSA may collect. Alexander said, “I believe it in the nation’s best interest to put all the phone records into a lock box that we can search when the nation needs to do it.” Alexander and several other intelligence officials along with members of the Senate Select Committee on Intelligence were speaking at a committee hearing. At the same hearing, Alexander avoided directly answering a question posed by Senator Ron Wyden (D-Oregon) about whether the agency had used cell phone data to track callers. [ComputerWorld] [Charlotte Observer] Speaking at a cybersecurity summit earlier in the week, Alexander defended NSA data gathering. He also said he is willing to share cyberattack information with private sector organizations. [Washington Post] [ComputerWorld]

US – FISA Court Releases Rationale on Legality of Phone Metadata Collection

The Foreign Intelligence Surveillance Court (FISC) has declassified its rationale that the collection of phone call metadata under the Patriot Act is legitimate. The FISC also noted that no US telecommunication company has ever challenged court orders requiring them to provide bulk telephony metadata. [WIRED] ]FISC Opinion] [FISC Rationale on Legality of Metadata Demands]

US – NSA Deploying Security Controls to Prevent More Leaks

The NSA is taking steps to prevent more leaks like those conducted by former contractor Edward Snowden. The agency will digitally tag sensitive documents to limit access to specific analysts. The tags will also help NSA learn what people do with the data they access. NSA CTO Lonny Anderson said that what Snowden did could not be done today. Systems administrators and other people who have privileged access to the NSA system will not do anything alone. The NSA is also limiting how employees store data on removable devices. [ArsTechnica]

US – NSA Seeks Civil Liberties and Privacy Officer

The NSA is seeking a Civil Liberties and Privacy Officer to be selected from within the agency’s ranks. The new position will bring together “the separate responsibilities of NSA’s existing Civil Liberties and Privacy (CL/P) protection programs under a single official.” The officer will help NSA “ensure that CL/P protections continue to be baked into NSA’s future operations, technologies, tradecraft, and policies.” [The Register]

US – 20% of Cybersecurity Positions at DHS Directorate Remain Unfilled

According to the US’s Government Accountability Office (GAO), the Department of Homeland Security’s (DHS’s) National Protection and Programs Directorate’s Office of Cybersecurity and Communications, has more than a 20 percent vacancy rate for jobs. Part of the reason for this is the lag time created by obtaining necessary security clearances for personnel. DHS officials also cite low pay compared to private sector salaries, and the fact that there are not clearly defined skills sets for cybersecurity positions. [GovInfoSecurity]

US – Proposed Legislation Would Amend FISA to Limit Data Collection

US legislators have introduced the Intelligence Oversight and Surveillance Reform Act, which aims to protect people’s privacy without sacrificing security. The proposed bill would amend the Foreign Intelligence Surveillance Act (FISA) by prohibiting bulk gathering of phone records and emails and prohibiting national security letters (NSLs) from being used for bulk collection of data. It would also establish the position of an independent constitutional advocate to “argue against the government when the FISC is considering significant legal and constitutional questions.” [ArsTechnica] [CNET] [SCMagazine]

Telecom / TV

US – Court: Debt Collectors’ Cell Phone Calls Exempt from TCPA

A federal judge in Pennsylvania has ruled the Telephone Consumer Protection Act (TCPA) does not apply to debt-collection calls, even those made to cellular phones. In Roy v. Dell Financial Services, the court relied on an earlier court decision that “all debt-collection circumstances are excluded from the TCPA’s coverage.” The decision conflicts with that of nearly all courts that have examined the issue, the report states. Most have found that calls made using automatic dialing systems violate the TCPA unless “prior express consent” has been given. [insideARM]

US – Vodafone Calls For New Approach to Mobile App Privacy Comms

Mobile operator Vodafone is calling on the app development community to take the lead in communicating to consumers a consistent set of privacy guidelines similar to nutrition labels used by the food industry. Vodafone Global Privacy Counsel Kasey Chapelle said the company is telling mobile app developers and other third parties to help safeguard consumer privacy and to communicate how data is collected and shared with advertisers. “We need to develop short-form , consistent privacy notifications along the same lines as nutrition labeling,” Chapelle said, adding, “Mobile operators can’t play the role that we used to (in terms of protecting mobile users’ privacy) any more as people such as handset manufacturers (Apple for example) get involved (with app stores, etc.).” Vodafone is lobbying third parties through trade organizations such as the GSMA and the Mobile Entertainment Forum, the report states. [Marketing Week]

US – Reddit, Civil Liberties Groups Renew Push for Email Privacy

A coalition of digital civil liberties groups are making a renewed push for a bill to reform the Electronic Communications Privacy Act. The coalition relaunched a website this week that supports the E-mail Privacy Act, a bill that would require the government to obtain a warrant anytime it wanted access to e-mails or documents stored in the cloud. “Internet surveillance is not going to be completely solved until we have a warrant requirement for content, until the Fourth Amendment protections apply fully to the Internet,” said Mark Stanley of the Center for Democracy and Technology—one of the groups advocating for the bill. [Mashable]

US Legislation

US – California Governor Approves Online “Eraser Button”

California Governor Jerry Brown has signed a bill that requires apps, websites, and online services that target minors to offer an “eraser button.” The feature will allow young people to request removal of information that might have negative effects on their chances of getting into schools or gaining employment. The feature must be in place by January 2015. The button does not allow people to request the removal of content others have posted, nor does it require that the content be deleted from sites’ servers. [CNET] [How California Is Shaping Privacy Law]

US – California Gov Signs Tracking Disclosures into Law

California Gov. Jerry Brown has signed into law an amendment to the California Online Privacy Protection Act (CalOPPA) that requires websites to disclose in privacy policies how they react to Do-Not-Track signals, becoming the first state in the U.S. to impose such regulations on operators. As well as requiring operators to inform users about their handling of browsers and other DNT mechanisms, the law requires them to disclose whether they allow third parties to access personal information about users’ online behavior over time and on other sites. Operators who fail to comply with CalOPPA will receive a warning and have 30 days to come into compliance “before being deemed in violation of the law and subject to an enforcement action,” the report states. [rHunton & Williams’ Privacy and Information Security Law blog]

US – California Bill Would Extend Employee Social Media Law to Public Sector

The California Senate has passed a bill that would prevent public agencies from accessing employees’ or potential employees’ personal social media accounts except under certain circumstances. While Labor Code 980 already protects the social media accounts of employees and applicants in private-sector organizations, if Gov. Jerry Brown signs this bill, 980 will be amended to include public entities. The state sheriff’s association and probation officers oppose the bill, saying they won’t be able to appropriately screen candidates. [Lexology]

US – Gov. Signs Bill Allowing Kids to Delete Online Pasts

California Gov. Jerry Brown has signed into law a bill that requires online companies and app developers to give minors the ability to remove their online content. The bill is similar to EU proposals for a right to be forgotten. “A minor with a juvenile record can petition the courts to have it expunged when he turns 18,” said an attorney specializing in Internet privacy. “This new law is akin to what’s already out there in traditional law.” While the law only applies to Californians, companies based outside of the state must comply when dealing with California residents. [610KVNU]

US – UPDATE: Minnesota Off the Hook for DPPA Violation

While an employee of the Departments of Public Safety and Natural Resources may still see charges for inappropriately accessing drivers’ data through the state database, a judge has ruled that the state is not responsible for his alleged violations of the Drivers’ Privacy Protection Act (DPPA). The judge based her ruling on the plaintiffs’ failure “to allege that any act by the state defendants violated the federal Drivers’ Privacy Protection Act—specifically, the complaint does not allege the defendants knowingly ‘obtained, disclosed or used’ any of the plaintiffs’ personal information ‘for a purpose not permitted’ by the DPPA.” [Law360]

US – Senators Address NSA Phone Program; Rival Bills Issued

At least two new bills have been introduced in the Senate addressing the National Security Agency (NSA) phone surveillance program. The Senate Intelligence Committee is looking to swiftly pass legislation that would “change but preserve” the recently revealed dragnet program. The bill, backed by Sens. Diane Feinstein (D-CA) and Saxby Chambliss (R-GA), would require public reports revealing frequency of access by the NSA to the call log database, reduce the retention time from five to two years and require the NSA to send the data it searches to the Foreign Intelligence Surveillance Court for review. A rival bill, backed by Sens. Ron Wyden (D-OR) and Mark Udall (D-CO), would ban the collection program. [New York Times]

US – Sen. Leahy Aims to Revamp NSA Capabilities

Speaking at Georgetown University on September 24, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) said he plans to aggressively pursue legislation to curb the National Security Agency’s surveillance powers. Leahy announced he is working together with USA PATRIOT Act author Sen. Jim Sensenbrenner, Jr., (R-WI) and Sen. Mike Lee (R-UT) to craft the new legislation. “I am convinced that the system set up in the 1970s to regulate the surveillance capabilities of our intelligence community is no longer working,” Leahy said, adding, “In my view—and I’ve discussed this with the White House—the Section 215 bulk collection of Americans’ phone records must end.” [The HIll]

Workplace Privacy

UK – Former Barclays Employee Fired, Fined for Accessing Customer Data

A former Barclays Bank employee has been fined GBP 3,360 (US $5,400) for accessing a customer’s data without permission. Jennifer Addo was found to have accessed the customer’s data 22 times between May and August 2011. The incident came to light when the customer noticed that a friend of Addo’s knew things about him that could only be found out by looking at information in the bank’s possession. Barclays terminated Addo’s employment shortly after the customer registered a complaint. [] [Information Age] [Credit Today] See also: [I Spy With My Corporate Eye: The Employee Services Conundrum]




01-15 September 2013


US – U.S. to Expand Data Sharing Overseas

The Department of Homeland Security plans to expand foreign biometric data sharing. The Office of Biometric Identity Management (OBIM), now five months old, will use a $33 million contract with Accenture to decrease the time, cost and personnel required to share U.S. biometric data with the UK, New Zealand, Canada and Australia. OBIM provides biometric data to federal, state and local governments to deal with immigration violators, criminals and known or suspected terrorists, OBIM’s deputy director said, adding it aims to improve biometric data-sharing and increase interoperability among the U.S. Departments of Defense, Justice and State. Meanwhile, the U.S. and Japan seek to formalize an agreement on sharing fingerprints of convicted criminals. [FCW] SEE ALSO: [US: Ohio scrambles to secure facial recognition system]

WW – Apple Releases Include Fingerprint Sensor

Apple has released two new iPhones, including a model with a fingerprint sensor that can be used instead of a passcode. In response to privacy concerns, Apple says user fingerprints will only be stored on the phone and will not be shared with app developers. The release is symbolic of a number of new on-the-market devices that use biometric authentication tools. A new wristband, Nymi, contains a voltmeter to read heartbeats. “You put it on. It knows it’s you. It communicates that identity securely to everything around you,” said the wristband’s creator. The biometric devices come on the heels of the recent discovery that even a 55-character password could be broken. [New York Times] [WSJ: Apple’s Fingerprint Feature and Pleading the Fifth] [Apple provides details on Touch ID’s privacy features] [What NSA snoops like about the iPhone] and [Thieves may mutilate owners in bid to gain access to fingerprint-reading handsets, expert warns] and [Canadian company puts password protection a heartbeat away]

WW – NIST: Iris Recognition Authentication Method Needs Some More Work

Federal researchers have reconfirmed the reliability of the iris as an authentication factor. But we’re at least 3 years away from using iris scanning as an advanced method of user authentication for IT systems. What’s holding back iris recognition as an authentication tool to access information on IT systems? According to experts, there are three main reasons: size, cost and culture. Specialized iris-reading cameras are too big to fit into the form factor of a laptop, smart phone or tablet. To be practical, an iris camera needs to be shrunk to the size of a webcam. For now, most iris cameras are much larger. Iris-reading cameras are too costly to be economically feasible to build into user devices – even if they could fit. Iris scanners and cameras cost hundreds if not thousands of dollars each. Imagine what that would do to the cost of a laptop of tablet. Another barrier: The IT security culture. When addressing authentication, many organizations’ IT security groups focus on something the user knows (password) or something the user has (token) and not on who the user is (biometric). That type of thinking needs to change. [Source    ]


CA – OIPC: GPS Tracking of Employees Is OK

BC’s Office of the Information and Privacy Commissioner (OIPC) has ruled that two elevator companies in the province can continue to use GPS technology to keep tabs on their employees. The employees had filed complaints that the practice violated their privacy. The OIPC did rule, however, that one of the companies must temporarily suspend the practice until it provides better notice to workers about data collection and use. One privacy advocate says the case indicates the need for new discussions about tracking given advances in technology since legislation on the matter was crafted. Meanwhile, Postmedia News suggests appropriate privacy policies can help keep employers out of trouble. [The Canadian Press]

CA – How to Keep Your Home’s Purchase Price Secret

Clients often ask whether I can keep the price they are paying for their home off the title record. The main reason is for privacy. They don’t think it is anybody’s business but theirs. You can do it if you pay the land transfer tax in advance. The tax is usually paid by your lawyer, but you can do it yourself. If that’s the case, you must include these documents with your request: A cover letter from the lawyer; A copy of the original agreement of purchase and sale; The draft deed to be registered on closing; A copy of the statement of adjustments; Three signed land transfer tax affidavits; and A certified cheque payable to the Ministry of Finance for the amount of land transfer tax owing. The Ministry will then provide your lawyer with a special code to be entered on closing, to confirm that the land transfer tax has already been paid. If the house is in Toronto, you will also have to pay the municipal Land Transfer Tax. In order to pre-pay this tax, there is a similar process that must be followed but you have to send the material to a different location. In all cases, what will show on your title after closing is either zero or $2 for the price paid. [Source]

CA – Saskachewan Privacy Commissioner Says SGI ‘Over Gathering’ Information

Saskatchewan’s Privacy Commissioner says SGI needs to stop “over gathering” medical information about crash victims, but the government-owned insurer says it’s not up to the commissioner to pass judgment. The latest report from Gary Dickson details the case of a woman who made an injury claim after a collision. SGI told her they would need medical files related to injuries to her neck and back.

But the report shows SGI gathered all of her medical files, including a reference to a sexually-transmitted disease the woman had years earlier. SGI did not explain why it gathered that information. It also says accident claims do not fall under the Privacy Commissioner’s jurisdiction. The information watchdog disagrees. [Source] [Saskatchewan Commissioner concerned] See also: [Ontario Liberals look for place to store 1.4 million boxes of government records]


WW – Survey: 86% of ‘Net Users Mask Footprint; Scared of Peers More than Gov’t

According to a recent survey, 86% of Internet users have taken at least one step to remove or mask their digital footprints online, and 55% have taken steps to avoid observation by certain people—including organizations or the government. The survey, conducted in July by the Pew Research Center’s Internet & American Life Project, examined 792 adult Internet users’ responses. Given recent revelations about U.S. government access to data, Director Lee Rainie said he was surprised to find that respondents were more concerned with hiding data from people they knew than the government or law enforcement. [Full Story]

WW – Consumers: Forget Screen Size, Cameras; Sell Us Privacy

Consumers are now more concerned about privacy in the use of their mobile phones and apps than they are about screen size, brand, weight or camera resolution. That’s according to TRUSTe’s 2013 Consumer Data Privacy Study, which polled more than 700 U.S. smartphone users. Only a phone’s battery life topped privacy when users’ prioritized their concerns. [Full Story] SEE ALSO: [Canada’s Moral Compass Points to Apathy on Online Privacy]

US – Insurer Wants Out of Breach Coverage in ZIP Code Case

Consumers in California, Massachusetts and Washington, DC, are suing Urban Outfitters, Inc., and its subsidiary, Anthropologie, Inc., for collecting ZIP codes during credit card transactions. OneBeacon American Insurance Company says the retailer’s insurance doesn’t cover such privacy issues, the report states, and is asking a federal judge to absolve it of any obligation in the case. [Main Justice]  For a primer on this issue, see Angelique Carson’s report, with a guide to zip code law.

US – Project Aims to Educate About Digital Footprints

A National Science Foundation-funded project called Teaching Privacy and a related online tool lets users track the location of Twitter and Instagram users. Both the project and the “Ready or Not “ tool aim to educate individuals—particularly high school students—about online privacy and how our personal information forms a digital footprint. Expanding on the Ready or Not geo-tracking tool, Gerald Friedland, an International Computer Science Institute researcher working on the Teaching Privacy project, said, “Most people…do not know that if you tweet something this location data is actually publicly available.” The researchers are also working on a study showing that an anonymous account holder of a service such as Yelp can have reviews cross-referenced with location data and timestamps on other services to reveal the user’s identity. [GigaOm]

JP – Tokyo Taxis Alert Passengers When They Leave Something Behind

Each taxi will be equipped with four cameras; one under the driver’s seat, one under the front passenger seat, one on the ceiling and one in the taxi’s trunk. The system works by comparing before and after images of the areas photographed. If the system detects an item left behind, such as a purse or a mobile phone, it instantly sounds an alarm, allowing the passenger to retrieve his or her belongings before the taxi drives off. To address privacy concerns related to the new system, the company claims the system won’t capture clear images of the faces and signs will be posted inside the vehicles to alert passengers of the cameras. It was reported that Tokyo drivers reported to police 210,000 objects left behind in their cars last year. The company also claims that it has recovered a vast range of items from its cars over the years. It says that mobile phones account for about 60 per cent of objects left behind. [Source]


US – Employees Improperly Used Driver’s License Database: Suit

18 people plan to file a lawsuit in Minneapolis federal court, claiming that government employees in Winona and more than 50 other Minnesota counties and cities violated their privacy by inappropriately using the state’s driver’s license database. The complaint alleges that “government officials targeted citizens based on their political involvement” and searched private information using the database, commonly used by law enforcement. Attorney Erick Kaardal, who represents the accusers, said he plans to reveal evidence of more than 600 illegal searches by employees of municipalities. The state’s driver’s license database made news last year, when a Department of Natural Resources employee was accused of using it to access the records of thousands of people, the vast majority of whom were women. A February 2013 report from the state legislative auditor’s office found numerous cases of abuse, including a case where 88 law enforcement employees misused the database, and some continued to after leaving their job. The report found that more than half of law enforcement personnel who used what’s called the Driver and Vehicle Services database had searched information on people with their same last name, or searched primarily for either women or men during 2012. “Law enforcement personnel have used their access to driver’s license data for non-work purposes or work purposes that are not allowed by state law,” the report found. The office’s report said monitoring, accountability, and training all need to be strengthened. [Source]


US – Lavabit Owner Appealing Surveillance Order

Lavabit owner Ladar Levison has appealed the secret surveillance order received from the US government that prompted him to shutter his business in August. The details have been placed under seal. The surveillance order forbids Levison from disclosing what the government has asked of him or who its target was. [WIRED]

US – Archives: Federal Workers May Use Secret Emails

Administration officials and other federal workers may continue to use secret government email accounts to conduct official business as long as the messages are safely preserved and turned over when they are sought under the Freedom of Information Act, the nation’s record-keeping agency said. New rules from the National Archives and Records Administration follow an Associated Press investigation earlier this year that found that some Obama administration political appointees used government email accounts that were not disclosed to the public or to congressional officials. On Tuesday, U.S. Archivist David Ferriero told a House oversight hearing that he doesn’t care how many email addresses government officials use. But Republican lawmakers said multiple email accounts, while could be useful for organizing large numbers of emails, may complicate efforts to pinpoint which accounts belong to whom. [Source] SEE ALSO: [Deleted emails in power plant scandal prompts push for training] and [Google lawsuit stirs debate over email privacy rights]

Electronic Records

US – ONC Releases Guidance on Interoperable E-Health Exchanges

The Office of the National Coordinator for Health Information Technology has released guidance in order to facilitate interoperable electronic health information exchanges. While many healthcare providers qualify for Medicare and Medicaid electronic health record incentive payments under the HITECH Act, there are many providers that are ineligible for such payments. The guidance aims to “serve as a building block for federal agencies and stakeholders to use as they work with different communities to achieve interoperable electronic health information exchange.” [Source]

CA – MGS Statement on Commissioner Cavoukian’s Special Report

Minister of Government Services John Milloy made the following statement on the actions taken to comply with the recommendations in the Special Report on the records management practices of political staff: “I want to thank the Information and Privacy Commissioner again for her report and for meeting with me in June. Our government takes its recordkeeping obligations seriously and we are committed to being open, accountable and transparent. Addressing Dr. Cavoukian’s recommendations has been a top priority to ensure that situations referred to in her report do not happen again. I want to thank both the offices of the Information and Privacy Commissioner and the Integrity Commissioner for working with our government on these important issues. The actions we are announcing today address all of Dr. Cavoukian’s non-legislative recommendations, including:

  • Developing a mandatory training program for all political staff to ensure that staff are fully aware of and trained in their records management obligations;
  • Creating a working group of Premier’s Office staff, Cabinet Office staff and Ministry of Government Services staff to clarify and strengthen the government’s records retention policies and practices so that they can successfully be put into practice;
  • Appointing ministers’ chiefs of staff and the Premier’s chief of staff as the persons accountable for the implementation and compliance with records management policies in each of their respective offices and appointing a senior advisor in the Premier’s Office to provide advice and guidance to all offices on these issues; and,
  • Improving archiving requirements by conducting a review of the archiving schedules.

The Premier has also issued a directive to all political staff underlining the serious obligations of staff to manage records in accordance with approved records retention schedules, and to complete mandatory training. [Source] and [Statement from Commissioner Cavoukian in response to September 4 statement by the Minister of Government Services]


WW – NSA Undermines High Level of Internet Encryption

The latest leak from former government contractor Edward Snowden reveals the U.S. National Security Agency has “circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, web searches, Internet chats and phone calls of Americans and others around the world,” according to a multi-pronged report by The New York Times, ProPublica and The Guardian . Since 2000, the agency has invested billions of dollars to influence international encryption standards and force technology companies to provide backdoor access to encrypted communications. The ACLU’s Christopher Soghoian said the programs are “making the Internet less secure and exposing us to criminal hacking, foreign espionage and unlawful surveillance,” adding that it “will further erode not only the United States’ reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies.” [Full Story] See also: [Real privacy means oversight – Op-Ed: Ann Cavoukian, Ron Deibert, Andrew Clement and Nathalie Des Rosiers The Globe and Mail] and [Canada complicit in undermining Internet privacy: Geist] and [US: Johns Hopkins reverses decision forcing prof to pull NSA post] and [US – Poll: Public Doubts Rise on Surveillance, Privacy] and [Ontario Privacy Watchdog Is Not Amused With The NSA] and [Schneier on NSA’s encryption defeating efforts: Trust no one]

WW – Google Encrypts Data Amid Backlash Against NSA Spying

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said. The move by Google is among the most concrete signs yet that recent revelations about the NSA’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs. Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program, which obtains data from American technology companies, including Google, under various legal authorities. Encrypting information flowing among data centers will not make it impossible for intelligence agencies to snoop on individual users of Google services, nor will it have any effect on legal requirements that the company comply with court orders or valid national security requests for data. But company officials and independent security experts said that increasingly widespread use of encryption technology makes mass surveillance more difficult — whether conducted by governments or other sophisticated hackers. [Source]

EU Developments

EU – MEPs Call for Halt to Anti-Terror Program

Amidst ongoing U.S. National Security Agency surveillance program revelations, Members of the European Parliament (MEPs) are calling for “the immediate suspension” of the Terrorist Finance Tracking Program (TFTP). “I think there is more than enough evidence to call for a suspension,” said Dutch MEP Sophie in’t Veld. The TFTP allows the U.S. Treasury access to data that international bank transfer company Swift stores in Europe, but NSA revelations indicate the U.S. spied on Swift, the report states. German MEP Jan Philipp Albrecht said, “The NSA surveillance is an open breach of the agreement and further undermines the already insufficient data protection given to European citizens under the deal.” [CIO]

EU – New Data Breach Notification Requirement in Effect

SC Magazine reports on the new data breach reporting requirement in the EU. The requirement took hold last week and requires telecommunications and Internet service providers in the EU to report a data breach to authorities within 24 hours of the moment the breach is discovered. Meanwhile, Laura Vivet Tañà examines the proposed EU data protection regulation’s breach notification rule, including such key elements as what should be considered as a personal data breach, the notification requirement and consequences of a security breach. [Full Story]

EU – Safe Harbor May Be Controversial in the EU, But It Is Still the Law

Safe Harbor has become a target for retribution in light of revelations about the National Security Agency’s PRISM program. It has come under fire from Rapporteur Jan Albrecht and the Article 29 Working Party, among others. While various officials have promised reviews and improvements to the framework, none have yet been released. Damon Greer, who directed the EU-U.S. and Swiss Safe Harbor frameworks from 2006-2011, discusses Safe Harbor’s fate. Full Story


EU – Mosley Wants Censorship Google Isn’t Willing to Give Up

Former Formula One boss Max Mosley wants Google to set up a personal filter to stop personal images of him from appearing on the search engine. The images of Mosley were ruled to be a breach of his privacy rights by a UK court in 2008. Google is willing to remove links to sites where the images are used, the report states, but says setting up a permanent filter for the pictures would mean an “alarming new model of automated censorship,” the report states. [Financial Times]


US – CFPB Seeks to Monitor Credit Card Transactions

Officials at the Consumer Financial Protection Bureau (CFPB) are seeking to monitor 80% of all U.S. consumer credit card transactions this year through a controversial data-mining program. A CFPB planning document for fiscal years 2013-17 indicates plans for a “markets monitoring” program as well as plans to monitor up to 95% of mortgage transactions. “This is one step closer to a Big Brother form of government where they know everything about us,” said Rep. Sean Duffy (R-WI) at a hearing on the matter last week where critics asserted the agency’s plans are beyond its authority. [Washington Examiner]

WW – G20 Countries to Share Tax Records to Crack Down on Cheats

Tax records will be shared around the world by 2015 as part of a G20 pledge to crack down on individual tax cheats and global corporations with complicated arrangements aimed at paying as little tax as possible. The topic of taxation in a global economy has become a major political issue of late, as multinational firms like Apple and Starbucks have faced scrutiny over their corporate structures. Further, investigative reports into the use of offshore tax havens by the world’s wealthiest individuals added momentum to the view that governments are getting short-changed of much needed revenue. As business increasingly moves online and international, cash-strapped governments approved an aggressive timeline to adopt the automatic exchange of tax information among the G20. The deal was solidified after China, the last holdout, agreed to the plan just days before the summit in St. Petersburg. A proposed U.S. law requiring foreign governments – including Canada – to report banking information involving U.S. citizens has already ran into concerns from the Canadian government and attracted the attention of Canada’s privacy commissioner. Questions of privacy will likely increase given that the G20 includes non-democratic countries where human rights are a concern, including China and Saudi Arabia. [Source]


WW – Internet Giants Make New Push for FISA Transparency

As gloomy predictions about the impact of privacy fears on the Internet economy grow ever more frequent, and major concerns about the future of the Internet are expressed, big firms like Facebook, Google, Yahoo and Microsoft have stepped up their efforts in petitioning the U.S. government to allow them to share more about government requests for data with their customers. Computerworld sums up a number of the blog posts from these companies, which outline their legal efforts toward transparency. “The actions and statements of the U.S. government have not adequately addressed the concerns of people around the world,” wrote Facebook general counsel Colin Stretch, in his post. Full Story

US – Yahoo Issues First Gov’t Transparency Report

Yahoo’s first government transparency report indicates the company “received 12,444 requests for data from the U.S. government so far this year” related to the accounts of 40,322 users. Of those requests, “37% disclosed the content of Yahoo accounts, such as words in e-mails, photos or uploaded files. In about 55% of the requests made, the company disclosed information about its users that did not involve content but gave information such as names, location data and e-mail addresses.” To date, the report states, Yahoo has rejected “two percent of those federal government requests.” [The Washington Post] SEE ALSO: [Toronto Mayor Rob Ford’s office on ‘honour system’ to release all requested records]

US – Internet Companies Seek Permission to Disclose Gov’t Data Requests

Facebook, Google, and Yahoo have filed a petition with the US Foreign Intelligence Surveillance Court, seeking permission to disclose more information about secret data requests made by the government. The companies are stepping up their push because earlier efforts, made in the wake of revelations about the existence of PRISM and other government surveillance programs surfaced earlier this summer, were not successful. The companies want to disclose detailed information about national security requests made under FISA. Google has asked that the hearing be made public. [NBC News] [CNET] [ComputerWorld]


EU – Proposed DNA Bill in Ireland Leans Toward Destruction

Minister for Justice Alan Shatter has published a bill on the establishment of a national DNA database. The bill takes into account privacy concerns about earlier versions of the bill on destruction of samples and deletion of DNA profiles, among others. Shatter’s bill would allow authorities to take DNA samples from most criminal suspects but the default would be in favor of the destruction of such samples when an individual is not convicted. [Irish Times]

WW – What Happens if Newborns’ Entire Genomes are Screened?

U.S. government is funding studies on what happens if you screen newborns’ entire genomes. The aim of the study is to find out if the data results in better healthcare or simply data overload. “We would like to see if genome sequencing can shed light on disorders that we don’t screen for currently,” said National Institute of Child Health and Human Development Director Dr. Alan Guttmacher, adding there are questions involved. “How do we protect the baby’s privacy? Where will the baby’s genome data be stored, and who will have access to it?” [NBC News] SEE ALSO: [The Privacy Conundrum And Genomic Research: Re-Identification And Other Concerns]


US – Google Case Can Proceed, Appeals Court Rules

A federal appeals court in San Francisco has said a lawsuit accusing Google of illegal wiretapping can proceed. The case involves Google’s Street View initiative, in which Google vehicles collected e-mail, passwords and other personal information from unencrypted home networks. Google wanted the case dismissed, arguing the data it accessed was exempt from the Wiretap Act because it was readily accessible to the general public. The appeals court agreed with an earlier federal court’s ruling, reasoning that, “Even if it is commonplace for members of the general public to connect to a neighbor’s unencrypted Wi-Fi network, members of the general public do not typically mistakenly intercept, store and decode data transmitted by other devices on the network.” [The New York Times]

US – Federal Appeals Court Denies Google’s Bid to Dismiss Street View Lawsuit

The US 9th Circuit Court of Appeals has ruled that Google’s inadvertent harvesting of users’ personal information from unprotected Wi-Fi routers while collecting data for Street View is not exempt from the Wiretap Act and that the company may be held liable for civil damages. Google had sought to have the lawsuit dismissed, arguing that transmissions over Wi-Fi networks are “readily accessible to the general public.” [WIRED] [Ars Technica] [ComputerWorld] [ZDNet] []

US – Google Wants “Precedent-Setting” Case Dismissed

Google has asked for a case against it, concerning its alleged electronic scanning of Gmail users’ e-mails for the purpose of sending targeted ads, to be dismissed. In a San Jose, CA, court on Thursday, Google said “all users of e-mail must necessarily expect that their e-mails will be subject to automated processing.” The suit was filed on behalf of 10 people and is expected to be certified as a class-action. It’s also predicted to be a “precedent-setting case for other e-mail providers,” the report states. [Associated Press] SEE ALSO: [Google security exec: ‘Passwords are dead’]

Health / Medical

US – New HIPAA Rules Require Revised Notices; Deadline Looms

Earlier this year, the Department of Health and Human Services Office for Civil Rights released omnibus regulations changing significantly HIPAA’s privacy, security, enforcement and breach notification rules. An article for Boston’s WBUR looks at what the changes mean for patients. Under the changes, covered entities must update and post a revised notice of privacy practices before September 23. In this report for Lexology, attorneys from Wilson Elser describe what such notices must include. Meanwhile, California lawmakers are considering proposing stricter HIPAA regulations. [Full Story] SEE ALSO: [US: Your Cat’s Name Could Soon Be Your “Personal Information”]

US – FTC Files Complaint Against LabMD; Companies Suffer Breach Fallouts

The FTC has filed a complaint against medical testing laboratory LabMD, Inc., alleging the company failed to reasonably protect consumers’ personal data, including medical information. The FTC alleges that in two incidents LabMD collectively exposed 10,000 consumers’ personal information. Meanwhile, the insurance company for Schnuck Markets has filed a lawsuit against the company seeking release from liability after a data breach earlier this year, and The University of Texas has informed patients of a data breach after a laptop containing their personal data was stolen. In Florida, the State Department of Health is the subject of criticism over new proposals regarding an online prescription database. And the U.S. Department of Energy has disclosed new information on a data breach affecting more than 14,000 employees. [Full Story]

US – Surgery Photo Prompts Privacy Concerns

A former patient has filed a civil lawsuit against a Los Angeles-based medical center after her doctor and his assistant decorated her face and took a photo while she was unconscious during a surgery. The state also investigated the case. The incident, as well as another involving a salesman taking a photo of a naked patient without the patient’s knowledge, has sparked concerns about mobile devices in healthcare facilities. “The idea that people are using their cellphone or even have one in the operating room is crazy,” said Deborah Peel, founder of Patient Privacy Rights. “It’s a massive security risk and incredibly insensitive to patients.” [Los Angeles Times] [Surgery photo leads to privacy lawsuit against Torrance Memorial]

Horror Stories

US – Hacker Accesses Two Million Vodafone Accounts

An intruder “with insider knowledge” hacked into a Vodafone server located in Germany and gained unauthorized access to approximately two million customer accounts. Compromised personal information include names, addresses, dates of birth and bank account information but did not include credit card information, passwords, PIN numbers or phone numbers, according to a company statement (in German). According to the report, Vodafone shares fell 0.8% yesterday. The attack was detected earlier this month and was halted. [Bloomberg] SEE ALSO: [Wal-Mart investigates privacy breach at Regina store]

US – Court Reverses Heartland Negligence-Claim Ruling; Case Proceeds

Following the 2008 data breach at Heartland Payment Systems, several banks that had issued credit cards to customers affected by the breach alleged they incurred significant costs by replacing the cards of impacted customers and refunding fraudulent charges, writes attorney Stephen Shapiro. While a trial court dismissed the negligence claim, citing New Jersey’s economic loss doctrine, a Fifth Circuit Court has reversed the ruling, allowing the case to proceed. [Source]

US – Schools, Council Investigate Breaches

The Medical University of South Carolina sustained the largest breach of its history between June 30 and August 21 after a third-party credit card processing company compromised 7,000 patients’ data. Meanwhile, parents of 130 children at two elementary schools in Virginia say their children came home with other students’ sensitive data, prompting fears of identity theft. The Washington Post reports Washington, DC’s privacy officer has “serious concerns” after a paramedic wrote a letter to the DC Council that included a patient’s data, and the University of South Florida is investigating a data breach caused by an employee. [HealthITSecurity]

US – Breach Settlements and Class-Actions Filed

A recent dismissal of a case arising from a credit card skimming attack suffered by Barnes & Noble by the U.S. District Court for the Northern District of Illinois demonstrates the struggle plaintiffs face in trying to articulate injury, write attorneys for Ropes & Gray, LLP. Meanwhile, ModernHealthcare discusses the legal consequences of a recent and massive data breach at Advocate Health Care. MediaPost News reports on both a potential class-action filed in Illinois accusing Google of violating its privacy policy and on Netflix users’ request that a $9 million settlement of a class-action lawsuit be nixed. [Full Story]

Identity Issues

US – Aggregator to Show Users Their Data

Data aggregator Acxiom is planning to unveil a free website where U.S. consumers can view the data the company has collected on them. Users who visit will view data on themselves including homeownership status, vehicle details, recent purchase categories and household interests. The site will allow users to click on icons to view the source the aggregated data came from originally. Axciom’s CEO says the company aims to alleviate consumer fears on data aggregation by being more transparent. Meanwhile, a new UK platform allows users to sell direct access to their data to bidding companies. [The New York Times] [US: Acxiom Lets Consumers See Data It Collects] SEE ALSO: [Dear Janice Lokelani Keihanaikukauakahihuliheekahaunaele: Your name is way too long for your ID]

SK – South Korea Steps Up Authentication Measures to Fight Financial Fraud

In an effort to combat cyber fraud, South Korea’s Financial Supervisory Service (FSS) says that as of September 26, 2013, people who conduct online transactions with banks, insurance companies, brokerage firms, and other financial institutions will be required to identify themselves through text messages or automated response systems. [ZDNet] [

CA – Protect New Passport from Hackers: Expert

AS of July 1, Canada joined several other countries and added computer chips to all new passports — they carry the passport information and a digital photo. An airport reader scans the passport and accesses the information on the chip in order to verify the identity of the pass-holder. The chips in the new passports work on radio-frequency identification, the same technology used in security ID cards and door readers. It is also the same technology that some smartphones have, using near field communication (NFC), which lets smartphones communicate by bumping, or lets people pay for parking using their smartphones. An NFC-enabled smartphone can access the data on chip-enabled passports using an app, giving the user access to the data in 30 seconds. The app is one of several similar apps available in the Android app store. If a user can enter the passport number, date of birth of the holder and date of expiry, they can access the information on the chip, including a digital version of the passport picture, with one tap of their phone. Rick Dykstra, parliamentary secretary to Citizenship Minister Chris Alexander, said the passports are still safer than the previous non-chipped versions. “Are they perfect? No. There are always fraudsters and hackers out there who will continue to try to take advantage, but we believe that we’re building a passport that is many times stronger and safer than the previous passport,” Dykstra said. There are ways to protect passports from being read, Neville said, recommending people protect their passports by placing them in RFID-proof cases, which surround the passport and prevent signals from coming in or going out, unless the passport is taken out of the case. American passports, for example, have that RFID-proofing built into their covers so they can only be scanned when opened. [Source]

UK – Government Signs First ID Assurance Contracts for Online Transactions

The UK government has signed contracts with the Post Office, Verizon, Experian, Digidentity and Mydex for the supply of the first live identity assurance services to drive secure online government transactions. The new cross-government identity assurance framework will see the contractors providing a service to enable people to assert their identity online without security concerns. The development of the identity assurance service will be managed by the Cabinet Office. PayPal, Cassidian and Ingeus have also been awarded a place on the identity assurance framework. The GDS (Government Digital Services) has undertaken a redesign of 25 of the most-used transactional public services in a bid to make them simpler and easier to use. The services include electoral registration, patent renewals and Universal Credit. [Source] See also: [Account Takeover: The Fraudsters’ Edge]

Intellectual Property

UK – ISPs to Collect Data on Illegal Downloaders – Reports

Media companies have asked UK broadband providers to collate info on illegal downloaders, which could violate data protection laws. Those caught committing piracy could be subject to internet throttling and even prosecution. In an attempt to clamp down on the illegal downloading of music and films, the British Phonographic Industry (BPI) and the British Video Association have requested BT, Virgin Media, BSkyB and TalkTalk to record information on piracy. The new code of conduct would oblige the companies to gather data on illegal downloaders and store it in a database. The information could then lead to repeat offenders having their internet cut-off or being prosecuted. Internet users will reportedly been given warnings by letter before these measures are taken, reports the Guardian. The move has attracted controversy amid speculation that it may violate the Data Protection Act, as the law says that companies may only retain personal data relating to a client if it is for commercial purposes. The proposal comes as part of a nationwide clampdown on growing internet piracy. Between November 2012 and January 2013, UK watchdog Offcom reported that 280 million music tracks had been pirated, as well as 52 million television programs. Furthermore, Offcom found that 18% of internet users aged over 12 had recently committed internet piracy, while one 9% actually fear getting caught. [Source]

Internet / WWW

WW – Experts Want Web Security Rewritten

Internet security experts are calling for a campaign to rewrite web security following news that the U.S. National Security Agency is capable of breaking millions of sites’ encryption codes. But that’s a task that would be extremely difficult, the experts admit. “A lot of our foundational technologies for securing the Net have come through the government,” said researcher Dan Kaminsky, adding, “As much as I want to say this is a technology problem we can address, if the nation states decide security isn’t something we’re allowed to have, then we’re in trouble.” Meanwhile, Chris Matyszczyk writes for CNET that trusting corporations over the government when it comes to data privacy is flawed logic. [Reuters]

WW – Academics Explore the Intersection of Privacy and Big Data

In anticipation of the Future of Privacy Forum and Stanford Center for Internet and Society workshop on meeting the challenges of Big Data and privacy, Stanford Law Review has released its 2013 Symposium Issue with contributions from academics and other privacy experts. Academic works cover topics such as Big Data rewards, classification and fairness, paradoxes of Big Data, “preemptive analytics” and public vs. nonpublic data. Meanwhile, a new post by Ari Waldman in Concurring Opinions explores the “sociology of privacy.” [Full Story]

Law Enforcement

US – Law Enforcement Surveillance Tools Abound

Ars Technica reports on BlueJay—a